Owners of Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products have a new strain of malware to fend off, according to the US Cybersecurity and Infrastructure Security Agency, aka CISA.

If you haven’t yet patched your vulnerable Ivanti kit, you now have one more reason to wipe and update it.

Uncle Sam dubbed the latest software nasty Resurge, and warned it infects devices by exploiting CVE-2025-0282 – a critical stack-overflow bug that was used by the Spawn family of malware, among others, in zero-day attacks to infect organizations.

The flaw allows unauthenticated remote code execution. Nominet, the .uk domain registry, was among those hit before the bug was fixed at the start of the year.

The following software is vulnerable if unpatched:

• Ivanti Connect Secure before version 22.7R2.5
• Ivanti Policy Secure before version 22.7R1.2, and
• Ivanti Neurons for ZTA gateways before version 22.7R2.3

Resurge uses elements of Spawn, specifically the Spawn Chimera strain, and creates web shells on infected equipment allowing them to be remotely controlled. The software nasty, once on a device, can also bypass system integrity checks, modify files, harvest credentials, create accounts, reset passwords, and grant intruders elevated permissions.

Ensuring your network is completely free of Resurge is going to take a reset, and installing a clean fixed version of the firmware before reconnecting to the internet, we’re told. You’re advised to take a backup of the device configuration before wiping and upgrading the gear.

“For the highest level of confidence, conduct a factory reset,” CISA advised in a March 28 update. “For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.”

CISA advised the next step is resetting passwords for all privileged and non-privileged accounts, then doing likewise for “all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt.”

That last account is present by default in all Microsoft Active Directory domains and is needed for the software giant’s implementation of the Kerberos authentication protocol. It has a two-password history, so users should reset the password for krbtgt twice, to make sure older creds are replaced.

“We are proponents of responsible information sharing with defenders, as it is vital to build a healthier, more resilient security ecosystem,” an Ivanti spokesperson told The Register.

“The patching instructions that Ivanti released on January 8, which include performing a factory reset, effectively remediate the vulnerability. We encourage all customers to follow these instructions immediately if they have not done so already, and to remain on the latest version (currently 22.7R2.6), which includes significant security enhancements.”

This is the second year in succession that Ivanti has dealt with zero-day attacks. In January 2024 it issued mitigation advice after miscreants found flaws in Connect Secure and Policy Secure. ®