Ivanti has recently addressed a critical security vulnerability in its Connect Secure VPN appliances that had been exploited by a China-linked espionage group since mid-March. The vulnerability, known as CVE-2025-22457, impacted various Ivanti products, including Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways.
According to a security advisory published by Mandiant, there is evidence of active exploitation in the wild, with the espionage group successfully executing remote code execution (RCE) and deploying malware. Mandiant reported the deployment of two new malware families, TrailblazeE and Brushfire, as well as the previously identified Spawn ecosystem of malware associated with UNC5221, a suspected China-nexus espionage actor.
Initially believed to be a low-risk denial-of-service vulnerability due to its limited character space buffer overflow, the vulnerability was patched by Ivanti on February 11. However, the group managed to analyze the patch and exploit versions 22.7R2.5 and earlier to achieve remote code execution.
Ivanti explained that the vulnerability was initially considered not exploitable for remote code execution, but further analysis revealed that it could be exploited through sophisticated means. As a result, Ivanti, along with its security partners, identified evidence of active exploitation in the wild.
In response to the threats posed by the exploitation of this vulnerability, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory for at-risk enterprises. CISA recommended applying security patches, running an external Integrity Checker Tool (ICT), conducting threat hunt actions on affected systems, and performing a factory reset for the highest level of confidence.
The Google Threat Intelligence Group (GTIG) reported that UNC5221 has targeted various countries and verticals, using a range of tooling from passive backdoors to trojanized legitimate components on edge appliances. GTIG believes that UNC5221 will continue to pursue zero-day exploitation of edge devices, building upon its history of success and aggressive modus operandi.
Mandiant emphasized the ongoing sophisticated threats targeting edge devices globally and highlighted the persistent focus of actors like UNC5221 on leveraging both zero-day and now n-day vulnerabilities. This aligns with the broader strategy observed among suspected China-nexus espionage groups investing significantly in exploits and custom malware for critical edge infrastructure.
In an update provided to ITPro, an Ivanti spokesperson shared additional details on the issue, stating that the vulnerability was fixed in ICS 22.7R2.6 and urging customers running older versions to upgrade as soon as possible. Customers running supported versions and following Ivanti’s guidance have a significantly reduced risk, with Ivanti’s ICT successfully detecting potential compromises on a limited number of affected devices.
Overall, the proactive response from Ivanti, collaboration with security partners, and advisories from CISA underscore the importance of addressing and mitigating cybersecurity threats to protect critical infrastructure and sensitive data from exploitation by malicious actors.