China-Backed Espionage Group Strikes Ivanti Customers Again

Listen to this Post

A Rising Threat to Ivanti VPN Users

Ivanti customers are once again facing cyberattacks linked to a Chinese state-sponsored espionage group. Security firm Mandiant has confirmed that UNC5221, a well-documented threat actor, has been actively exploiting a critical vulnerability—CVE-2025-22457—since mid-March 2025.

This latest breach adds to a growing list of security flaws in Ivanti’s VPN products, which have been repeatedly targeted by hackers. Since early 2024, Ivanti has appeared 15 times in the Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities. The attacks underscore a troubling pattern: China-backed threat actors are ramping up their cyber intrusion activities and refining their techniques.

The Persistent Targeting of Ivanti Products

UNC5221 is no stranger to Ivanti vulnerabilities. Over the past two years, the group has successfully exploited multiple zero-day flaws, including CVE-2025-0282, CVE-2023-46805, and CVE-2024-21887. These vulnerabilities have been used to breach corporate and government networks worldwide.

The most recent vulnerability, CVE-2025-22457, affects Ivanti Connect Secure VPN. Although Ivanti issued a patch on February 11, the company did not publicly disclose the vulnerability until months later. Initially classified as a low-risk issue, security researchers later discovered that sophisticated attackers, like UNC5221, could weaponize it.

In response, Ivanti has urged all customers to update to version 22.7R2.6, which contains the necessary security patches. However, older versions—such as Ivanti Connect Secure 22.7R2.5 and Pulse Connect Secure 9.1x—remain vulnerable and have already been exploited. The flaw allows attackers to execute remote code, giving them full control over compromised systems.

The Advanced Techniques of UNC5221

Mandiant’s investigation into UNC5221’s operations has revealed the use of advanced malware tools, including:

  • Trailblaze – an in-memory dropper designed to evade detection
  • Brushfire – a passive backdoor used for persistent access
  • Spawn malware – various tools deployed to manipulate Ivanti’s security controls

Additionally, the group has been modifying Ivanti’s Integrity Checker Tool, a diagnostic tool meant to detect intrusions. By altering this software, UNC5221 can bypass security mechanisms and remain undetected for extended periods.

Ivanti’s Response and Industry Concerns

Ivanti has acknowledged the severity of these attacks and is working with security partners to strengthen its defenses. The company has also pledged to release patches for other affected products, including Ivanti Policy Secure and Ivanti ZTA Gateways, later this month.

Cybersecurity experts warn that UNC5221 is likely to accelerate its attack campaigns before organizations have a chance to apply necessary patches. As China-linked espionage groups continue to refine their methods, businesses and governments must remain vigilant in updating their security defenses.

What Undercode Says:

UNC5221’s latest attack campaign highlights a growing trend in state-sponsored cyber espionage: the focus on edge devices and VPN infrastructure. These tools are critical for remote access and network security, making them prime targets for nation-state attackers.

1. Why Ivanti?

Ivanti products have become a consistent target for cybercriminals, particularly those linked to China. The reason? Many enterprises rely on Ivanti’s VPN solutions for secure remote access. By compromising these systems, attackers can gain unrestricted access to sensitive corporate and government networks.

2. The Escalation of Cyber Espionage

China-backed cyber actors have significantly ramped up their operations in recent years. Mandiant’s data suggests that groups like UNC5221 are increasing their attack velocity, using zero-day vulnerabilities and advanced malware frameworks. This aligns with broader trends in cyber warfare, where state-sponsored groups prioritize persistent access over one-time breaches.

3. The Hidden Risks of Delayed Disclosure

Ivanti’s decision to withhold information about CVE-2025-22457 for months is troubling. While responsible disclosure is essential to prevent widespread panic, withholding critical security information can leave organizations unknowingly exposed. This delay gave UNC5221 ample time to study the patch, develop an exploit, and execute attacks before organizations had a chance to respond.

4. The Problem with Patch Management

Despite the availability of patches, many companies struggle to implement updates quickly. Legacy systems, compatibility concerns, and lack of IT resources often delay patch deployment, making enterprises easy targets for cyber threats. Attackers capitalize on this lag, striking before patches are applied.

5. The Future of VPN Security

With VPNs remaining a primary attack vector, organizations should reconsider their reliance on traditional VPN-based security. The shift towards zero-trust architecture (ZTA)—where access is verified at multiple levels—could mitigate such threats. However, adoption of ZTA is slow, leaving many companies vulnerable in the meantime.

6. How Organizations Can Protect Themselves

To defend against UNC5221 and similar threat groups, businesses should:
– Apply patches immediately – especially for Ivanti Connect Secure 22.7R2.6
– Monitor network activity for signs of intrusion, particularly unusual VPN connections
– Adopt zero-trust security models to limit access privileges
– Use endpoint detection and response (EDR) solutions to identify malware like Trailblaze and Brushfire
– Increase employee cybersecurity training to detect and respond to phishing or social engineering attempts

7. The Bigger Picture

China’s cyber-espionage efforts are part of a larger geopolitical strategy. By targeting critical infrastructure, corporate networks, and government agencies, these groups aim to steal intellectual property, disrupt operations, and gather intelligence. The frequency and sophistication of attacks suggest a well-funded, highly coordinated effort that will likely persist for years.

8. What’s Next?

With Ivanti still developing patches for other affected products, organizations must stay proactive. UNC5221 and similar groups will continue their relentless pursuit of exploitable vulnerabilities, making cybersecurity a constant battle. Enterprises must prioritize security updates, invest in advanced threat detection, and move towards a zero-trust security model to stay ahead of attackers.

Fact Checker Results:

  • UNC5221 is a known Chinese state-sponsored cyber group – confirmed by Mandiant and Google Threat Intelligence.
  • Ivanti vulnerabilities have been actively exploited – with at least 15 cases recorded in CISA’s database since 2024.
  • The attack strategy follows a common pattern – delayed patch disclosure, exploitation of zero-days, and use of advanced malware.

The reality is that China-backed cyber espionage is not slowing down. Ivanti and other security vendors must step up their game, and businesses must remain vigilant to prevent becoming the next target.

References:

Reported By: https://cyberscoop.com/china-espionage-group-ivanti-vulnerability-exploits/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image