Critical Ivanti Vulnerability Exploited by China-Linked Hackers – What You Need to Know

By /

Listen to this Post

A newly discovered remote code execution (RCE) vulnerability in Ivanti Connect Secure (CVE-2025-22457) has been actively exploited by a China-linked cyberespionage group, UNC5221, since mid-March 2025. This flaw, a stack-based buffer overflow, allows attackers to execute malicious code remotely without authentication, putting organizations at serious risk.

Ivanti has released security updates to patch the flaw, but the company warns that some customers have already been affected. Cybersecurity researchers from Mandiant and Google Threat Intelligence Group (GTIG) identified active exploitation in the wild, with attackers deploying sophisticated malware families such as TRAILBLAZE, BRUSHFIRE, and SPAWN.

The affected products include Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (end-of-support as of December 31, 2024), and Ivanti Policy Secure/ZTA gateways. While a fix has been issued for Connect Secure, patches for ZTA and Policy Secure will only arrive in mid-April 2025.

Organizations using these products must act immediately, upgrading to Ivanti Connect Secure 22.7R2.6 and monitoring their networks for signs of compromise.

the Exploit and Its Impact

  • Vulnerability Details: CVE-2025-22457 is a stack-based buffer overflow allowing unauthenticated remote code execution.
  • Exploitation Timeline: Active exploitation observed since mid-March 2025.
  • Attackers Identified: UNC5221, a China-linked espionage group, has been leveraging the flaw.
  • Malware Deployed: TRAILBLAZE (an in-memory dropper), BRUSHFIRE (a passive backdoor), and SPAWN malware.

– Affected Products:

– Ivanti Connect Secure (v22.7R2.5 and earlier).

  • Pulse Connect Secure 9.x (end-of-support as of December 31, 2024).

– Ivanti Policy Secure and ZTA gateways.

– Security Patch Release:

  • Connect Secure patch (22.7R2.6) released on February 11, 2025.
  • Patches for ZTA and Policy Secure gateways expected on April 19 and 21.

– Mitigation Advice:

– Upgrade immediately to Connect Secure 22.7R2.6.

  • Monitor logs using Ivanti’s Integrity Checker Tool (ICT).

– Reset compromised devices before redeployment.

What Undercode Says:

The exploitation of CVE-2025-22457 highlights a growing trend where nation-state actors actively target critical network infrastructure. The attack attributed to UNC5221 fits a larger pattern observed in recent years, where Chinese threat actors have used zero-day vulnerabilities to infiltrate high-value targets.

1. The Growing Threat from Nation-State Cyber Actors

The link between UNC5221 and Chinese cyber operations is concerning but not surprising. China has a well-documented history of cyberespionage, targeting governmental and corporate entities for intelligence gathering. In previous campaigns, Chinese actors exploited edge devices like firewalls and VPNs to maintain persistent access to networks.

2. Why This Vulnerability Matters

A remote code execution vulnerability in a widely used VPN solution poses severe risks:
– Network Takeover: Attackers can execute arbitrary code, gaining full control over network appliances.
– Silent Persistence: The deployment of backdoors like BRUSHFIRE allows attackers to maintain long-term access.
– Data Exfiltration & Espionage: The malware families used suggest an intent to gather intelligence rather than mere disruption.

3. Are Companies Taking Security Seriously Enough?

Despite repeated warnings from cybersecurity experts, many organizations delay patching critical vulnerabilities. The exploitation of CVE-2025-22457 is yet another example of attackers taking advantage of slow security response times. Organizations must prioritize updates, especially for internet-facing devices.

4. Proactive Security Measures for Organizations

Given the sophistication of UNC5221’s attacks, companies must adopt a multi-layered security approach:
– Patch Management: Immediate updates to 22.7R2.6 are critical.
– Threat Intelligence Monitoring: Use tools like Google’s Threat Intelligence Group reports to stay ahead of threats.
– Zero Trust Architecture (ZTA): Limit access based on strict identity verification.
– Behavioral Analysis: Monitor network traffic for signs of suspicious activity.

5. What’s Next?

With Ivanti planning to release additional patches in April, it remains to be seen if attackers will shift tactics. Given UNC5221’s history, they are likely to adapt and find new vulnerabilities. Future attacks may involve more sophisticated exploits or the repurposing of previously developed malware families.

Fact Checker Results:

  1. Vulnerability Confirmation: CVE-2025-22457 is a verified Ivanti Connect Secure flaw, acknowledged by Ivanti and cybersecurity experts.
  2. China-Linked Attribution: The UNC5221 group, attributed to Chinese cyberespionage, has been linked to previous similar exploits.
  3. Patch Release: Ivanti has officially released a security patch for Connect Secure, with additional fixes scheduled for April.

References:

Reported By: https://securityaffairs.com/176162/apt/china-linked-group-unc5221-exploited-ivanti-connect-secure-zero-day-since-mid-march.html
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: