In a recent cyber-espionage operation, a group identified as UNC5221, believed to have ties to China, has taken advantage of a critical vulnerability in Ivanti Connect Secure VPN appliances.
The vulnerability, known as CVE-2025-22457, is a stack-based buffer overflow that affects various Ivanti products, including Policy Secure and Zero Trust Access gateways.
Initially, Ivanti classified CVE-2025-22457 as a low-risk denial-of-service flaw. However, further analysis revealed that it could lead to unauthenticated remote code execution (RCE). As a result, Ivanti publicly disclosed the vulnerability on April 3, 2025, and upgraded its severity to Critical with a CVSS score of 9.0.
Despite releasing a patch in February, UNC5221 managed to reverse-engineer it to create a sophisticated exploit. This exploit allows attackers to send specially crafted HTTP requests to vulnerable appliances, triggering a buffer overflow and executing arbitrary code with high privileges, providing unauthorized access to the victim’s internal network.
UNC5221’s tactics involve deploying a multi-stage malware sequence, starting with a shell script dropper that initiates the execution of malicious code. This code injects a backdoor into the Ivanti Connect Secure web service process, ensuring persistence without leaving any files on disk. Known as BRUSHFIRE, this backdoor operates covertly in memory and responds to specific inbound VPN traffic.
To evade detection, UNC5221 employs various techniques such as in-memory malware implants, log manipulation, and the use of compromised intermediary devices to mask their operational infrastructure. According to Picus Security, these tactics make it difficult for conventional monitoring systems to detect UNC5221’s activities, allowing them to conduct espionage operations without being detected.
UNC5221’s operations have had a global impact, affecting organizations worldwide, including targets in the United States. This underscores the widespread threat posed by vulnerabilities in internet-facing network infrastructure. Ivanti has confirmed that several customers were breached due to this vulnerability, emphasizing the importance of promptly updating to the patched version (ICS 22.7R2.6 or later).
Security experts recommend immediate patching, continuous monitoring for unauthorized access attempts, and the implementation of additional security measures like network segmentation to reduce the attack surface. Organizations are advised to review their authentication and password management practices to mitigate the risk of credential theft.
This incident highlights the ongoing threat posed by state-sponsored attackers targeting internet-facing devices and emphasizes the critical need for swift action to address software vulnerabilities, particularly in crucial infrastructure like VPN gateways, which are prime targets for cyber adversaries.