What is the recent security vulnerability in Ivanti Connect Secure VPN?

On April 3, 2025, Ivanti disclosed a critical security vulnerability (CVE-2025-22457) with a CVSS score of 9.0 affecting their Connect Secure VPN appliances. It is a buffer overflow vulnerability that can lead to remote code execution and is actively being exploited by UNC5221, a suspected China-nexus espionage actor.

Which Ivanti products are affected by CVE-2025-22457?

The vulnerability affects multiple Ivanti products: Ivanti Connect Secure (ICS) version 22.7R2.5 and earlier, Ivanti Policy Secure (patch in development), Ivanti ZTA Gateways (patch in development), and end-of-life Pulse Connect Secure 9.1x appliances.

Is there a patch available for the Ivanti CVE-2025-22457 vulnerability?

Yes, a patch for this vulnerability was released in ICS 22.7R2.6 on February 11, 2025. It was initially believed to be a low-risk denial-of-service vulnerability, but the threat actor studied the patch and uncovered a way to exploit the vulnerability in earlier versions to achieve remote code execution.

What malware is being deployed after successful exploitation of the Ivanti vulnerability?

Following successful exploitation, researchers observed the deployment of several malware families: TRAILBLAZE (a newly identified in-memory dropper designed to be minimal and use raw syscalls), BRUSHFIRE (a newly identified passive backdoor that acts as an SSL_read hook), and the SPAWN ecosystem (previously reported malware attributed to UNC5221, including SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE).

What should organizations do to protect against this Ivanti vulnerability?

Mandiant and Ivanti recommend organizations: 1) Immediately apply the available patch by upgrading ICS appliances to version 22.7R2.6 or later, and 2) Use the external and internal Integrity Checker Tool (ICT) and contact Ivanti Support if suspicious activity is identified.

Attack

Suspected China-Nexus threat actor actively exploiting critical Ivanti Connect Secure flaw

published: April 3, 2025

Take action: If you are using Connect Secure, Policy Secure, ZTA Gateways or Pulse Connect, time for an urgent patch. This flaw is actively exploited. No real mitigations, most of these systems are exposed to the public by default. Start patching NOW!

Learn More

On April 3, 2025, Ivanti disclosed a critical security vulnerability affecting their Connect Secure VPN appliances. This vulnerability is actively being exploited by UNC5221, a suspected China-nexus espionage actor with a history of targeting edge devices since 2023.

The flaw is tracked as CVE-2025-22457 (CVSS score 9.0), a buffer overflow vulnerability that can lead to remote code execution. The vulnerability affects:

Ivanti Connect Secure (ICS) version 22.7R2.5 and earlier
Ivanti Policy Secure (patch in development)
Ivanti ZTA Gateways (patch in development)
End-of-life Pulse Connect Secure 9.1x appliances

A patch for this vulnerability was released in ICS 22.7R2.6 on February 11, 2025, but was initially believed to be a low-risk denial-of-service vulnerability. The threat actor studied the patch and uncovered a way to exploit the vulnerability in earlier versions to achieve remote code execution.

Evidence of active exploitation dates back to mid-March 2025, with Ivanti confirming that a "limited number of customers" using vulnerable versions have been compromised. Following successful exploitation, researchers observed the deployment of several malware families:

TRAILBLAZE: A newly identified in-memory dropper designed to be minimal and use raw syscalls
BRUSHFIRE: A newly identified passive backdoor that acts as an SSL_read hook
SPAWN ecosystem: Previously reported malware attributed to UNC5221, including:
- SPAWNSLOTH: A log tampering component targeting the dslogserver process
- SPAWNSNARE: A utility for extracting and encrypting the Linux kernel image
- SPAWNWAVE: An evolved version of SPAWNANT combining capabilities from other SPAWN malware

Google Threat Intelligence Group (GTIG) attributes this activity to UNC5221, a suspected China-nexus espionage actor. UNC5221 has targeted a wide range of countries and sectors, leveraging an extensive set of tooling from passive backdoors to trojanized legitimate components on various edge appliances. They've also been observed using an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their source during operations.

Mandiant and Ivanti recommend organizations:

Immediately apply the available patch by upgrading ICS appliances to version 22.7R2.6 or later
Use the external and internal Integrity Checker Tool (ICT) and contact Ivanti Support if suspicious activity is identified

Suspected China-Nexus threat actor actively exploiting critical Ivanti Connect Secure flaw

Read More
Oracle WebLogic Servers Face Immediate Exploitation of Critical …
CISA warns of active attacks on Apache OFBiz …
Università Roma Tre reports cyberattack
ServiceNow flaws actively exploited by hackers
CISA reports active exploitation of Advantive VeraCore flaws