Security researchers have discovered a critical vulnerability in Ivanti Connect Secure (ICS) VPN appliances that is currently being exploited by suspected Chinese threat actors. The vulnerability, known as CVE-2025-22457, is a buffer overflow flaw that affects ICS version 22.7R2.5 and older, posing a risk of remote code execution.
Evidence indicates that the exploitation of this vulnerability started in mid-March 2025, with attackers using it to deploy sophisticated malware designed for espionage activities. The attacks have been linked to UNC5221, a group believed to have ties to China and known for targeting edge devices using zero-day exploits dating back to 2023.
UNC5221 has a history of employing advanced tactics, including reverse-engineering security patches to create working exploits. In this latest campaign, it is suspected that the group studied a patch released in February 2025 for ICS version 22.7R2.6 to develop their attack strategy.
According to Google Threat Intelligence analysts, after successfully exploiting the vulnerability, the threat actors deploy multiple malware families, including newly discovered tools named TRAILBLAZE and BRUSHFIRE, alongside their existing SPAWN ecosystem of malware. These tools collaborate to establish persistent access and evade detection mechanisms.
This exploitation of the vulnerability marks a progression in UNC5221’s tactics as they shift from relying solely on zero-day vulnerabilities to also incorporating n-day flaws in their operations. Security researchers note that the group targets a wide range of countries and industries, demonstrating a relentless operational pace and a diverse toolkit.
Following the successful exploitation of the vulnerability, attackers initiate a sophisticated attack chain starting with a shell script dropper. This script executes TRAILBLAZE, an in-memory dropper designed to be minimal and discreet, followed by the injection of the BRUSHFIRE passive backdoor into a running process.
BRUSHFIRE operates by intercepting encrypted communications through hooking the SSL_read function and executing shellcode when specific trigger strings are detected. This technique enables the threat actors to maintain a persistent presence while reducing the risk of detection, as their operations occur entirely in memory without leaving malicious files on disk.
To mitigate the risk posed by this vulnerability, security experts advise organizations to promptly update affected Ivanti Connect Secure appliances to version 22.7R2.6 or newer and utilize the Integrity Checker Tool to identify any suspicious activity.
The exploitation of this vulnerability underscores the importance of ongoing vigilance and prompt security updates to protect against evolving cyber threats. Organizations are encouraged to stay informed about emerging vulnerabilities and take necessary precautions to defend against potential attacks.