The Cybersecurity and Infrastructure Security Agency (CISA) has released a Malware Analysis Report (MAR) detailing a newly discovered malware variant, RESURGE, linked to CVE-2025-0282, a critical vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways.
Key Findings on RESURGE Malware
RESURGE builds on the capabilities of SPAWNCHIMERA malware but introduces new commands that:
- Create and manipulate web shells for credential harvesting and privilege escalation.
- Modify system files and integrity checks to maintain persistence.
- Survive reboots by embedding itself in the Ivanti running boot disk.
CVE-2025-0282, a stack-based buffer overflow flaw, was added to CISA’s Known Exploited Vulnerabilities Catalog in January 2025, signaling active exploitation in the wild.
Mitigation Recommendations
CISA urges organizations to take immediate action, including:
- Perform a factory reset using a clean external image for virtual/cloud systems.
- Reset all privileged and non-privileged account credentials, including domain users.
- Review and restrict access policies to limit exposure.
- Monitor administrative accounts for unauthorized activity.
References