Ivanti’s Latest Security Update: A Critical Fix
Ivanti has released an urgent security update to patch a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-22457. This flaw, caused by a stack-based buffer overflow, has been actively exploited by a China-linked espionage group UNC5221 since at least mid-March 2025.
The vulnerability affects multiple Ivanti products, including:
- Pulse Connect Secure 9.1x (end-of-support as of December 2024)
– Ivanti Connect Secure (ICS) 22.7R2.5 and earlier
– Ivanti Policy Secure
– Neurons for ZTA gateways
According to Ivanti, attackers can exploit this flaw in high-complexity attacks without authentication or user interaction. Initially dismissed as a product bug, Ivanti later discovered it was actively being weaponized by advanced threat actors.
Patch Release and Security Recommendations
Ivanti released a fix on February 11, 2025, with Connect Secure version 22.7R2.6, advising customers to immediately update their systems. Patches for other affected products are scheduled as follows:
– ZTA Gateways: April 19, 2025
– Ivanti Policy Secure: April 21, 2025
For organizations that suspect compromise, Ivanti recommends monitoring external Integrity Checker Tools (ICT), checking for web server crashes, and factory resetting impacted appliances before deploying the patched version.
UNC5221: A Persistent and Sophisticated Threat
Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) linked the exploitation of CVE-2025-22457 to UNC5221, a China-nexus cyber espionage group.
Following successful exploitation, UNC5221 deployed:
– TRAILBLAZE – An in-memory malware dropper
– BRUSHFIRE – A passive backdoor
- SPAWN malware ecosystem – Previously associated with UNC5221
UNC5221 has a history of targeting zero-day vulnerabilities in Ivanti, NetScaler, and other network edge devices. The group was behind previous Ivanti Connect Secure exploits (CVE-2025-0282, CVE-2023-46805, CVE-2024-21887), affecting thousands of devices, including MITRE Corporation’s network breach in April 2024.
In January 2024, cybersecurity firm Volexity reported that UNC5221 had backdoored over 2,100 Ivanti appliances using the GIFTEDVISITOR webshell, highlighting the persistent risk posed by the group.
Both CISA and the FBI have issued warnings about ongoing attacks targeting Ivanti vulnerabilities, urging organizations to patch their systems immediately.
What Undercode Says:
The latest Ivanti vulnerability underscores the relentless targeting of enterprise infrastructure by state-sponsored cyber actors. Let’s break down some key takeaways from this attack and what it means for security teams:
1. Ivanti’s Recurring Security Struggles
Ivanti’s products have become a prime target for zero-day exploits, particularly in VPN and network access control appliances. Over the past year, multiple critical vulnerabilities have been exploited before patches were available, indicating a systematic weakness in Ivanti’s security model.
2. China-Linked UNC5221’s Growing Threat
UNC5221 has emerged as a highly capable espionage group that specializes in infiltrating edge infrastructure. Their continued focus on Ivanti, Citrix NetScaler, and similar appliances suggests an attempt to gain persistent access to high-value networks. This aligns with broader Chinese cyber operations, which often target:
– Government agencies
– Defense contractors
– Critical infrastructure
3. The Weaponization of Buffer Overflow Exploits
The use of a stack-based buffer overflow highlights a persistent software security challenge. While modern mitigations exist (such as Address Space Layout Randomization and Control Flow Integrity), advanced attackers like UNC5221 continue to find ways around them, exploiting overlooked flaws in legacy codebases.
4. Lack of Immediate Transparency from Ivanti
Initially, Ivanti dismissed the vulnerability as a non-exploitable product bug. It was only after collaboration with security partners that the true risk was acknowledged. This delay in recognizing the real threat likely allowed UNC5221 to expand their foothold before an official patch was available.
5. A Reminder to Patch Immediately
Organizations using Ivanti products must act quickly to secure their infrastructure:
– Update to Ivanti Connect Secure 22.7R2.6 immediately
- Monitor external ICT logs for signs of intrusion
– Factory reset compromised devices before redeployment
With patches for ZTA and Policy Secure not arriving until late April, organizations must remain vigilant and consider temporary mitigation measures where possible.
Fact Checker Results
- Ivanti initially downplayed the exploitability of CVE-2025-22457, later acknowledging active exploitation.
- UNC5221 has a history of targeting Ivanti vulnerabilities, dating back to at least 2023.
- Security agencies (CISA, FBI) have issued multiple warnings regarding Ivanti vulnerabilities, urging immediate patching.
This incident serves as a stark reminder of how quickly zero-days can be weaponized—and why timely patching is non-negotiable in today’s cyber threat landscape.
References:
Reported By: https://www.bleepingcomputer.com/news/security/ivanti-patches-connect-secure-zero-day-exploited-since-mid-march/
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
