Ivanti recently disclosed the details of a critical security vulnerability that affects its Connect Secure product and has been actively exploited in the wild. The vulnerability, identified as CVE-2025-22457 with a CVSS score of 9.0, is a stack-based buffer overflow that can be exploited to execute arbitrary code on affected systems.
According to Ivanti, the vulnerability exists in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2, allowing a remote unauthenticated attacker to achieve remote code execution. The company has provided a detailed description of the affected products and versions in its security advisory.
The affected products and versions include:
- Ivanti Connect Secure (versions 22.7R2.5 and prior) – Fixed in version 22.7R2.6 (Patch released on February 11, 2025)
- Pulse Connect Secure (versions 9.1R18.9 and prior) – Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December 31, 2024)
- Ivanti Policy Secure (versions 22.7R1.3 and prior) – Fixed in version 22.7R1.4 (To be available on April 21)
- ZTA Gateways (versions 22.8R2 and prior) – Fixed in version 22.8R2.2 (To be available on April 19)
Ivanti has confirmed that a limited number of customers have been impacted, with their Connect Secure and end-of-support Pulse Connect Secure appliances being exploited. However, there is no evidence of in-the-wild exploitation of Policy Secure or ZTA gateways.
To mitigate the vulnerability, Ivanti recommends that customers monitor their external ICT and look for web server crashes. If signs of compromise are detected, a factory reset of the appliance should be performed, followed by updating to version 22.7R2.6.
It’s worth noting that Connect Secure version 22.7R2.6 also addressed multiple critical vulnerabilities (CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644) that could permit a remote authenticated attacker to write arbitrary files and execute arbitrary code.
Google-owned Mandiant has reported observing evidence of exploitation of CVE-2025-22457 in mid-March 2025, allowing threat actors to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite.
The attack chain involves the use of a multi-stage shell script dropper to execute TRAILBLAZE, which then injects BRUSHFIRE directly into the memory of a running web process in an attempt to sidestep detection. The exploitation activity is designed to establish persistent backdoor access on compromised appliances, potentially enabling credential theft, further network intrusion, and data exfiltration.
The use of SPAWN is attributed to a China-nexus adversary tracked as UNC5221, which has a history of leveraging zero-day flaws in Ivanti Connect Secure (ICS) devices, alongside other clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.
UNC5221 has also been assessed to share overlaps with threat groups such as APT27, Silk Typhoon, and UTA0178, according to the U.S. government. However, Mandiant does not have enough evidence to confirm this connection.
“Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities,” said Dan Perez, China Mission Technical Lead, Google Threat Intelligence Group.
“The link between this cluster and APT27 made by the government is plausible, but we do not have independent evidence to confirm. Silk Typhoon is Microsoft’s name for this activity, and we can’t speak to their attribution.”
UNC5221 has also been observed leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations, an aspect also highlighted by Microsoft early last month, detailing Silk Typhoon’s latest tradecraft.
The company further theorized that the threat actor likely analyzed the February patch released by Ivanti and figured out a way to exploit prior versions in order to achieve remote code execution against unpatched systems. This marks the first time UNC5221 has been attributed to the N-day exploitation of a security flaw in Ivanti devices.
“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” said Charles Carmakal, Mandiant Consulting CTO.
“These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
