The Cybersecurity and Infrastructure Security Agency (CISA) is warning that RESURGE malware may still be silently embedded in Ivanti Connect Secure VPN appliances. It remains dormant until attackers attempt to regain access.

The US cybersecurity agency issued a warning about the RESURGE malware last year, but has now released an update.

The RESURGE malware was first detected in January 2025. To install the malware, attackers exploited CVE-2025-0282, a vulnerability that granted them access to Ivanti VPN servers. Once the attackers gained access to the VPN servers, they installed the RESURGE malware.

On a scale of 1 to 10, the vulnerability was rated a 9.0.

The exploit has been actively exploited since last year. When Ivanti released a patch to fix the issue, the company recommended that businesses and organizations using Ivanti Connect Secure download the patch immediately.

Once the RESURGE malware is installed, it creates a web shell that offers hackers persistent access to the VPN servers. In addition, the web shell enables them to harvest login credentials, create new accounts, reset passwords, and escalate permissions.

Lastly, the malware copies the web shell to the Ivanti running boot disk and manipulates the running coreboot image, thus manipulating integrity checks to hide itself from detection.

In an update on the RESURGE malware, CISA claims that the malicious software can remain latent on systems until a remote actor attempts to connect to the compromised device. Because of this, the malware may remain dormant and undetected on Ivanti Connect Secure devices and remain an active threat.

The cybersecurity agency urges businesses and organizations to check their Ivanti systems using available Indicators of Compromise (IoCs).

Unlock more exclusive Cybernews content on YouTube.