
Nominet, the UK’s largest domain registry managing over 11 million domains including .uk, .co.uk, and .gov.uk, has confirmed a network breach through an Ivanti VPN zero-day vulnerability. The incident occurred two weeks ago, affecting the organization responsible for critical domain infrastructure.
The breach exploited a critical vulnerability (CVE-2025-0282) in Ivanti Connect Secure VPN software, which enables remote system access. While Nominet has detected suspicious activity, investigations have found no evidence of data breaches or backdoor installations. The company has implemented additional security measures, including VPN access restrictions, and notified relevant authorities including the National Cyber Security Centre (NCSC).
Security researchers link the attacks to suspected Chinese hackers, specifically the UNC5337 group, who began exploiting the vulnerability in mid-December. The attackers deployed sophisticated malware tools including Spawn, Dryhook, and Phasejam on compromised systems. Over 3,600 ICS appliances were exposed online when Ivanti released a patch.
Despite the breach, Nominet confirms that domain registration and management systems continue to operate normally, protected by existing restricted access protocols and firewalls. Ivanti has since developed and released patches, urging customers to implement security updates immediately to protect their systems.