Ivanti recently brought attention to a critical security vulnerability, identified as CVE-2025-22457, which poses a serious risk to its Connect Secure (ICS) VPN appliances, specifically affecting versions 22.7R2.5 and earlier. This vulnerability, categorized as a buffer overflow vulnerability, allows attackers to execute remote code when successfully exploited.
According to reports from security researchers at Mandiant and Ivanti, there has been active exploitation of this vulnerability observed in the wild, specifically targeting ICS 9.X (end-of-life) and earlier versions of the software. The perpetrators behind these attacks have been linked to UNC5221, a suspected China-based cyber espionage group with a track record of engaging in sophisticated cyber operations and exploiting zero-day vulnerabilities.
The initial signs of exploitation were detected in mid-March 2025, with the attackers deploying two newly identified malware families, named TRAILBLAZE and BRUSHFIRE, alongside the previously reported SPAWN malware ecosystem. These malicious tools are intricately designed for espionage purposes, allowing attackers to maintain access to compromised systems while evading detection.
The technical details of the exploitation reveal that CVE-2025-22457 was initially considered a low-risk denial-of-service vulnerability due to its restricted character space. However, attackers managed to study a patch released in February 2025 (ICS version 22.7R2.6) to identify a complex method of exploiting earlier versions for remote code execution. Following a successful exploitation, a shell script dropper is used to execute the TRAILBLAZE in-memory dropper, which injects the BRUSHFIRE passive backdoor into running processes.
The attackers’ deployment of the TRAILBLAZE and BRUSHFIRE components aims to create temporary files containing process metadata to avoid detection. The TRAILBLAZE dropper, written in bare C, uses raw syscalls for minimal footprint and deploys hooks into targeted processes, facilitating the deployment of the BRUSHFIRE backdoor. Meanwhile, BRUSHFIRE functions as an SSL_read hook to decrypt and execute shellcode embedded in incoming data streams, with successful responses sent back via SSL_write.
Furthermore, the attackers utilized components from the SPAWN malware ecosystem, including SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE, showcasing advanced capabilities for tampering with logs, extracting kernel images, and maintaining stealthy persistence on compromised devices.
The attribution of these exploitation activities has been assigned to UNC5221 by the Google Threat Intelligence Group (GTIG). This group has a history of targeting edge devices using zero-day vulnerabilities and a broad toolkit that includes passive backdoors and trojanized legitimate components. Their consistent focus on exploiting edge devices highlights their strategic emphasis on compromising critical infrastructure.
To counter the CVE-2025-22457 vulnerability, Ivanti has issued patches for ICS appliances and urges customers to upgrade to version 22.7R2.6 or later immediately. Organizations are advised to utilize Ivanti’s Integrity Checker Tool (ICT) for anomaly detection and monitor suspicious activity related to core dumps or TLS certificates presented to appliances. Active monitoring and prompt application of security patches remain crucial defenses against such advanced threats.