CISA Warns that RESURGE Malware Can Be Dormant on Ivanti Devices

Ivanti Connect Secure is a cornerstone for many enterprises’ remote‑access strategies, and the CVE‑2025‑0282 zero‑day has turned it into a high‑value target. The vulnerability grants attackers kernel‑level code execution, which the China‑linked UNC5221 group quickly weaponized in December 2024. By embedding the RESURGE implant as a seemingly benign shared library, the threat actors achieved persistence that survives reboots and firmware updates, undermining traditional patch‑and‑restart defenses. This approach reflects a broader shift toward supply‑chain‑adjacent exploits that bypass perimeter controls and strike at the heart of authentication gateways.

What sets RESURGE apart is its network‑level evasion. Rather than beaconing, the implant monitors inbound TLS connections, matching them against a CRC32‑derived fingerprint. Only when the exact pattern arrives does the malware activate, using a counterfeit Ivanti certificate to masquerade as legitimate traffic. This mutual TLS handshake, coupled with a hard‑coded EC CA key, encrypts the session while keeping the malicious activity hidden from conventional IDS signatures. The inclusion of auxiliary modules like liblogblock.so for log tampering further obscures forensic trails, making detection reliant on specialized IoC signatures rather than behavioral anomalies.

For organizations, the CISA bulletin signals an urgent need to revisit detection and response playbooks. Administrators should deploy the newly published IoCs, monitor for anomalous TLS fingerprints, and verify certificate chains on all Ivanti endpoints. Given RESURGE’s ability to modify coreboot images, firmware integrity checks and secure boot configurations become essential safeguards. More broadly, the incident underscores the importance of continuous threat‑intelligence sharing and rapid patch adoption across the supply chain, as sophisticated implants can remain dormant for months before surfacing as active breaches.