Chinese hackers continue to target Ivanti products with the latest evidence pointing to a cyberespionage operation originating from China. The hackers exploited a critical security vulnerability that Ivanti had already patched in February, showcasing the hackers’ ability to quickly exploit recently fixed flaws and their specific interest in targeting Ivanti products.
According to researchers at Mandiant, a threat group known as UNC5221 used a stack-based buffer overflow in Ivanti Connect Secure to deploy malware associated with Chinese nation-state operations. This malware, from the Spawn ecosystem, is linked to previous breaches involving Ivanti products and the Chinese hacking community. Mandiant also identified two new malware families called “Trailblaze” and “Brushfire” during their investigation. In an attempt to avoid detection, the hackers tampered with the internal Ivanti Integrity Checker Tool.
The hackers exploited CVE-2025-22457 to target specific Ivanti devices including Connect Secure version 22.7R2.5 or earlier, Connect Secure 9.x appliances, Policy Secure, and ZTA gateways. Ivanti released a patch for Connect Secure on Feb. 11 and advised users to secure Policy Secure against internet exposure. Additionally, they stated that “Neurons for ZTA gateways cannot be exploited when in production.”
Acknowledging the breach, Ivanti confirmed that a limited number of customers had fallen victim to the exploitation of their appliances. Western intelligence agencies have repeatedly alerted about the aggressive nature of Chinese nation-state hackers who exploit newly disclosed vulnerabilities before patches are applied by system administrators.
The hackers primarily targeted legacy VPN appliances that were no longer receiving software updates, such as the Connect Secure 9.x appliance which reached its end-of-support date on Dec. 31, 2024. They also infiltrated older versions of Ivanti Connect Secure VPN appliances, which were in the process of being replaced with the newer version starting from Feb. 11.
This incident marks the second year of Ivanti battling against Chinese nation-state hackers who have continuously targeted the company’s network devices. The warning issued by Mandiant and Ivanti highlights a distinct vulnerability from a previous exploit that was recently identified by the U.S. Cybersecurity and Infrastructure Security Agency.
The ongoing threats posed by Chinese hackers to Ivanti products underscore the importance of cybersecurity measures and the urgency for organizations to stay vigilant against evolving cyber threats. With cyber warfare becoming increasingly sophisticated, businesses must prioritize security updates and precautions to safeguard against malicious activities in the digital realm.