Ivanti has patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
Tracked as CVE-2025-22457, the critical severity vulnerability impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, which reached end-of-support at the end of last year), Ivanti Policy Secure (versions 22.7R1.3 and prior) and ZTA Gateways (versions 22.8R2 and prior).
In a security advisory published by Mandiant, the firm said there’s evidence of active exploitation in the wild, with the espionage group successfully achieving remote code execution (RCE) and deploying malware.
"Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor," said Mandiant.
"Additionally, deployment of the previously reported Spawn ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023."
The vulnerability is a buffer overflow with a limited character space, and as such was initially believed to be a low-risk denial-of-service vulnerability. But while a patch was released on February 11, Mandiant believes the group was able to analyze the patch and find a way to exploit 22.7R2.5 and earlier to achieve the remote code execution.
"The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service," Ivanti explained.
"However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild."
CISA responds to Ivanti threats
Google Threat Intelligence Group (GTIG) said UNC5221 has targeted a wide range of countries and verticals during its operations, and has made use of an extensive set of tooling, from passive backdoors to trojanized legitimate components on various edge appliances.
The group has a consistent history of success and an aggressive modus operandi, and GTIG believes it will continue to pursue zero-day exploitation of edge devices.
"This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws," Mandiant said.
"This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure."
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for at-risk enterprises.
In addition to applying the relevant security patches, the agency urged organizations to run an external Integrity Checker Tool (ICT) and conduct threat hunt actions on any systems connected to — or recently connected to — the affected Ivanti device.
For the highest level of confidence, it said, they should conduct a factory reset.
UPDATE:
In a statement given to ITPro, an Ivanti spokesperson gave additional details on the issue:
"Following initial identification of the compromise by Ivanti’s Integrity Checker Tool (ICT), Ivanti quickly investigated, identified the vulnerability and disclosed it to customers. Additionally, Ivanti partnered with Mandiant to provide additional information to defenders.
"Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Customers running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory.
"Ivanti’s ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions."
MORE FROM ITPRO
- INSERT STORY LINK
- INSERT STORY LINK
- INSERT STORY LINK
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s whyNews Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
