Chinese hackers have been actively exploiting a critical vulnerability in Ivanti Connect Secure, as revealed by the Mandiant Incident Response team. The exploitation of the remote code execution bug, identified as CVE-2025-22457, is reported to have been ongoing since mid-March.
The vulnerability, disclosed by Ivanti on 3 April, pertains to a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, which could potentially lead to remote code execution. Ivanti recommended the immediate deployment of the remediated version, Ivanti Connect Secure 22.7R2.6, released on February 11, 2025, to mitigate the vulnerability.
However, despite the availability of the patch, Ivanti acknowledged that customers were still utilizing Pulse Connect Secure 9.1x, which reached its end-of-life in December 2024, and these outdated devices were being actively targeted and exploited by hackers. The vulnerability affects various product versions including Ivanti Connect Secure 22.7R2.5 and prior, Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior, Ivanti Policy Secure 22.7R1.3 and prior, and ZTA Gateways 22.8R2 and prior.
Mandiant’s recent update on 4 April delves deeper into the nature of the exploitation, attributing the attacks to Chinese advanced persistent threat UNC5221. The Mandiant Consulting Chief Technology Officer, Charles Carmakal, expressed concern over the ongoing targeting of edge devices globally by China-based espionage groups. The hackers have been developing custom malware like Trailblaze and Brushfire, which accompany the existing Spawn malware family.
Trailblaze, identified as a small in-memory dropper, is designed to inject the Brushfire backdoor, enabling the execution of further malicious shellcode. Meanwhile, SpawnSloth and SpawnSnare, components of the malware, serve different functions like disabling logging and extracting and encrypting Linux kernel images, respectively. The Google Threat Intelligence Group has observed UNC5221’s history of targeting vulnerabilities and noted the similarities in their tooling with the current campaign.
Rapid7, a cybersecurity firm, urged Ivanti customers to apply the available patch immediately to prevent exploitation. The advisory also recommended monitoring external ICT and conducting a factory reset on compromised appliances. Rapid7 emphasized the importance of swift action, suggesting that a factory reset should be performed if any signs of compromise are detected.
In conclusion, the active exploitation of the Ivanti Connect Secure vulnerability by Chinese hackers highlights the persistent threat posed by cybercriminals targeting organizations’ network infrastructure. The rapid deployment of patches and proactive monitoring of ICT are crucial steps in mitigating such risks and safeguarding against potential cyber intrusions. Organizations are advised to stay vigilant, adhere to recommended security practices, and prioritize the protection of their digital assets in the face of evolving cybersecurity threats.