UK's official domain registry Nominet has confirmed that its network was breached two weeks ago through a zero-day vulnerability in Ivanti VPN software.
Nominet, which oversees over .uk domain names and which previously operated the UK’s Protective Domain Name Service (PDNS) on behalf of the National Cyber Security Centre (NCSC), said the attack was traced to a zero-day vulnerability in Ivanti’s VPN product, specifically Ivanti Connect Secure.
The vulnerability in question CVE-2025-0282, has been actively targeted by threat actors since mid-December 2024. Ivanti confirmed that the flaw was being actively exploited to compromise a limited number of customer systems. The vendor has since released security patches to address the issue.
According to Nominet, the attackers gained access to its network via remote access provided by Ivanti’s VPN software, which is used by Nominet employees for secure system access. The company said that it currently has no evidence of a data breach and that no backdoors were found on its systems.
Nominet noted it took steps to mitigate the impact, including restricting VPN access and reporting the breach to relevant authorities such as the NCSC. The company also said that its registry and domain management systems continued to operate as usual and were unaffected by the incident.
Nominet's network breach is the latest in a string of cybersecurity incidents involving Ivanti's VPN software. Researchers from cybersecurity firm Mandiant reported that the attackers used a custom malware toolkit called “Spawn,” believed to be linked to the China-based espionage group UNC5337. Additionally, two new strains of malware named Dryhook and Phasejam were found deployed on compromised systems. It is possible that several separate threat actors are responsible for developing the SPAWN and Dryhook and Phasejam malware.
