CISA Warns of RESURGE Malware Persistence on Ivanti Devices

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a detailed technical advisory regarding RESURGE, a highly specialized malware implant identified in recent campaigns targeting Ivanti Connect Secure (ICS) and Policy Secure (IPS) devices. According to BleepingComputer, this malware was deployed following the exploitation of CVE-2025-0282, a critical vulnerability that facilitates unauthenticated remote code execution (RCE) on affected gateways.

RESURGE represents a significant advancement in the persistence capabilities of edge-device implants. Unlike traditional web shells that often reside in temporary directories, RESURGE is designed to maintain a footprint across system updates and reboots by embedding itself deep within the appliance’s filesystem, often masquerading as legitimate system components.

Technical Analysis of CVE-2025-0282 and RESURGE

The exploitation chain begins with CVE-2025-0282, a heap-based buffer overflow vulnerability within the Ivanti gateway’s processing of specific network requests. Because Ivanti gateways operate at the network perimeter with high privileges, successfully exploiting this flaw provides an adversary with immediate system-level access. Threat actors have been observed leveraging this initial access to drop the RESURGE implant.

RESURGE is characterized by its modular nature and its ability to remain dormant. The implant does not necessarily begin beaconing to a command-and-control (C2) server immediately upon infection. Instead, it monitors for specific internal system triggers or external knock sequences before activating its primary payloads. This behavior is specifically engineered to evade automated sandboxes and basic network traffic analysis that looks for immediate post-exploitation outbound connections.

Persistence and Evasion Mechanisms

One of the most concerning aspects of RESURGE is its resilience. CISA’s analysis indicates that the malware can survive certain factory reset procedures if the underlying storage partition is not fully wiped or if the recovery image itself has been tampered with. The implant often hides by overwriting or mimicking legitimate system binaries or library files (such as .so files) within the Ivanti OS environment, making manual detection via standard administrative interfaces extremely difficult.

The malware uses encrypted communication channels, typically over HTTPS, to receive instructions. It employs a custom protocol wrapped inside legitimate-looking traffic, which helps it blend into the high volume of encrypted VPN traffic typical for these devices. Furthermore, RESURGE has the capability to modify the device’s internal logging mechanisms, effectively preventing the appliance from recording its malicious activities or the initial exploitation events.

Impact on Enterprise Security

The deployment of RESURGE highlights a continuing trend where sophisticated threat actors target edge appliances. These devices often lack the endpoint detection and response (EDR) coverage present on traditional servers and workstations. For an enterprise, a compromised Ivanti gateway serves as an ideal pivot point for lateral movement into the internal network, as the gateway already possesses the necessary credentials and network routes to reach sensitive assets.

The dormant nature of the malware means that an organization might have been breached weeks or months ago without any visible signs of data exfiltration. This necessitates a look-back period for forensic investigations that extends well beyond the date the vulnerability was publicly disclosed or patched.

Mitigation and Defensive Actions

To defend against RESURGE and similar implants, organizations must move beyond basic patching. While applying the security updates provided by Ivanti for CVE-2025-0282 is a necessary first step, it does not remove an existing RESURGE infection if the device was already compromised.

Mandatory Integrity Checks

Administrators should utilize the Ivanti Internal Integrity Checker (ICT) and, more importantly, the External Integrity Checker. CISA recommends the external version as it provides a more reliable snapshot of the filesystem from outside the potentially compromised operating system. Any “NEW” or “EDITED” files reported by the ICT should be treated as a confirmed indicator of compromise (IoC).

Comprehensive Remediation Steps

If signs of RESURGE are detected, the following steps are required for remediation:

1. Isolation: Immediately disconnect the affected gateway from the network to prevent further data exfiltration or lateral movement.
2. Forensic Preservation: Take a full disk image of the appliance for forensic analysis before attempting recovery, as this data is vital for understanding the scope of the breach.
3. Hard Reset: Perform a full factory reset. In some instances, CISA suggests that a physical hardware replacement or a complete re-imaging from known-good media is the only way to guarantee the removal of persistent implants like RESURGE that may have compromised the underlying firmware or recovery partitions.
4. Credential Rotation: Once the gateway is secured or replaced, rotate all credentials that passed through the device, including administrative passwords, API keys, and user session tokens.