(TLP:CLEAR) CISA Releases Update to its Malware Analysis Report on RESURGE Malware Associated with Ivanti Connect Secure

Summary: CISA recently released an update to its Malware Analysis Report (MAR) involving RESURGE malware, providing network defenders with deeper technical insights and enhanced tools to identify, mitigate, and respond to this threat. CISA’s updated analysis reveals that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device. As such, CISA assesses that RESURGE may be dormant and undetected on Ivanti Connect Secure devices, continuing to pose an active threat.

The original MAR highlighted RESURGE’s capabilities to modify files, manipulate integrity checks, and deploy a web shell to the Ivanti boot disk. CISA’s updated analysis expands on RESURGE’s sophisticated network-level evasion and authentication techniques, including the use of advanced cryptographic methods and forged Transport Layer Security certificates to enable covert communications.

Analyst Note: RESURGE malware has been associated with the exploitation of a stack-based overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways (CVE-2025-0282). For utilities that use any of the Ivanti Connect Secure appliances mentioned, WaterISAC urges users and administrators to implement the “Mitigation Instructions for CVE-2025-0282”, as well as the listed actions outlined in CISA’s published alert.

Original Source: https://www.cisa.gov/news-events/analysis-reports/ar25-087a

Mitigation Recommendations:

• CISA Mitigation Instructions for CVE-2025-0282
• Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)

Related WaterISAC PIRs: 6, 7, 7.1, 10, 12