Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
Tracked as CVE-2025-22457, the critical severity vulnerability impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, which reached end-of-support at the end of last year), Ivanti Policy Secure (versions 22.7R1.3 and prior) and ZTA Gateways (versions 22.8R2 and prior).
In a security advisory published by Mandiant, the firm said there’s evidence of active exploitation in the wild, with the espionage group successfully achieving remote code execution (RCE) and deploying malware.
"Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor," said Mandiant.
"Additionally, deployment of the previously reported Spawn ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023."
The vulnerability is a buffer overflow with a limited character space, and as such was initially believed to be a low-risk denial-of-service vulnerability. But while a patch was released on February 11, Mandiant believes the group was able to analyze the patch and find a way to exploit 22.7R2.5 and earlier to achieve the remote code execution.
"The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service," Ivanti explained.
"However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild."
CISA responds to Ivanti threats
Google Threat Intelligence Group (GTIG) said UNC5221 has targeted a wide range of countries and verticals during its operations, and has made use of an extensive set of tooling, from passive backdoors to trojanized legitimate components on various edge appliances.
The group has a consistent history of success and an aggressive modus operandi, and GTIG believes it will continue to pursue zero-day exploitation of edge devices.
"This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws," Mandiant said.
"This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure."
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for at-risk enterprises.
In addition to applying the relevant security patches, the agency urged organizations to run an external Integrity Checker Tool (ICT) and conduct threat hunt actions on any systems connected to — or recently connected to — the affected Ivanti device.
For the highest level of confidence, it said, they should conduct a factory reset.
MORE FROM ITPRO
- INSERT STORY LINK
- INSERT STORY LINK
- INSERT STORY LINK
-
OpenAI woos UK government amid consultation on AI training and copyrightNews OpenAI is fighting back against the UK government's proposals on how to handle AI training and copyright.
-
Disgruntled dev dumped malicious code on company networks after being sackedNews Security experts have warned ITPro over the risks of insider threats from disgruntled workers after a software developer deployed a 'kill switch' to sabotage his former employer’s networks.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
