Hackers are targeting Ivanti VPN users again – here’s what you need to know
Ivanti issued a patch in February, but researchers believe hackers developed a workaround


Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
Tracked as CVE-2025-22457, the critical severity vulnerability impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, which reached end-of-support at the end of last year), Ivanti Policy Secure (versions 22.7R1.3 and prior) and ZTA Gateways (versions 22.8R2 and prior).
In a security advisory published by Mandiant, the firm said there’s evidence of active exploitation in the wild, with the espionage group successfully achieving remote code execution (RCE) and deploying malware.
"Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor," said Mandiant.
"Additionally, deployment of the previously reported Spawn ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023."
The vulnerability is a buffer overflow with a limited character space, and as such was initially believed to be a low-risk denial-of-service vulnerability. But while a patch was released on February 11, Mandiant believes the group was able to analyze the patch and find a way to exploit 22.7R2.5 and earlier to achieve the remote code execution.
"The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service," Ivanti explained.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild."
CISA responds to Ivanti threats
Google Threat Intelligence Group (GTIG) said UNC5221 has targeted a wide range of countries and verticals during its operations, and has made use of an extensive set of tooling, from passive backdoors to trojanized legitimate components on various edge appliances.
The group has a consistent history of success and an aggressive modus operandi, and GTIG believes it will continue to pursue zero-day exploitation of edge devices.
"This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws," Mandiant said.
"This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure."
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for at-risk enterprises.
In addition to applying the relevant security patches, the agency urged organizations to run an external Integrity Checker Tool (ICT) and conduct threat hunt actions on any systems connected to — or recently connected to — the affected Ivanti device.
For the highest level of confidence, it said, they should conduct a factory reset.
MORE FROM ITPRO
- INSERT STORY LINK
- INSERT STORY LINK
- INSERT STORY LINK
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
OpenAI woos UK government amid consultation on AI training and copyright
News OpenAI is fighting back against the UK government's proposals on how to handle AI training and copyright.
By Emma Woollacott Published
-
Disgruntled dev dumped malicious code on company networks after being sacked
News Security experts have warned ITPro over the risks of insider threats from disgruntled workers after a software developer deployed a 'kill switch' to sabotage his former employer’s networks.
By Ross Kelly Published
-
Broadcom issues urgent alert over three VMware zero-days
News The firm says it has information to suggest all three are being exploited in the wild
By Solomon Klappholz Published
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim
News Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
By Solomon Klappholz Published
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilities
News Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
By Emma Woollacott Published
-
Vulnerability management complexity is leaving enterprises at serious risk
News Fragmented data and siloed processes mean remediation is taking too long
By Emma Woollacott Published
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
News Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
By Solomon Klappholz Published
-
Researchers claim an AMD security flaw could let hackers access encrypted data
News Using only a $10 test rig, researchers were able to pull off the badRAM attack
By Solomon Klappholz Published