Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure that has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems.
“A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution,” Ivanti said in an alert released Thursday.
The flaw impacts the following products and versions –
- Ivanti Connect Secure (versions 22.7R2.5 and prior) – Fixed in version 22.7R2.6 (Patch released on February 11, 2025)
- Pulse Connect Secure (versions 9.1R18.9 and prior) – Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December 31, 2024)
- Ivanti Policy Secure (versions 22.7R1.3 and prior) – Fixed in version 22.7R1.4 (To be available on April 21)
- ZTA Gateways (versions 22.8R2 and prior) – Fixed in version 22.8R2.2 (To be available on April 19)
The company said it’s aware of a “limited number of customers” whose Connect Secure and end-of-support Pulse Connect Secure appliances have been exploited. There is no evidence that Policy Secure or ZTA gateways have come under in-the-wild abuse.
“Customers should monitor their external ICT and look for web server crashes,” Ivanti noted. “If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.”
It’s worth mentioning here that Connect Secure version 22.7R2.6 also addressed multiple critical vulnerabilities (CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644) that could permit a remote authenticated attacker to write arbitrary files and execute arbitrary code.
Google-owned Mandiant, in a bulletin of its own, said it observed evidence of exploitation of CVE-2025-22457 in mid-March 2025, allowing the threat actors to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite.
The attack chain essentially involves the use of a multi-stage shell script dropper to execute TRAILBLAZE, which then injects BRUSHFIRE directly into the memory of a running web process in an attempt to sidestep detection. The exploitation activity is designed to establish persistent backdoor access on compromised appliances, potentially enabling credential theft, further network intrusion, and data exfiltration.
The SPAWN malware ecosystem includes the below components –
- SPAWNSLOTH, a log tampering utility that can disable logging and disable log forwarding to an external syslog server when the SPAWNSNAIL backdoor is operating
- SPAWNSNARE, a C-based program that’s used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES
- SPAWNWAVE, an improved version of SPAWNANT that combines various elements of SPAWN (overlaps with SPAWNCHIMERA and RESURGE)
The use of SPAWN is attributed to a China-nexus adversary tracked as UNC5221, which has a history of leveraging zero-day flaws in Ivanti Connect Secure (ICS) devices, alongside other clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.
UNC5221, per the U.S. government, has also been assessed to share overlaps with threat groups such as APT27, Silk Typhoon, and UTA0178. However, the threat intelligence firm told The Hacker News that it does not have enough evidence on its own to confirm this connection.
“Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities,” Dan Perez, China Mission Technical Lead, Google Threat Intelligence Group, told the publication.
“The link between this cluster and APT27 made by the government is plausible, but we do not have independent evidence to confirm. Silk Typhoon is Microsoft’s name for this activity, and we can’t speak to their attribution.”
Besides conducting zero-day exploitation of CVE-2023-4966, affecting Citrix NetScaler devices, UNC5221 has leveraged an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations, an aspect also highlighted by Microsoft early last month, detailing Silk Typhoon’s latest tradecraft.
The company further theorized that the threat actor likely analyzed the February patch released by Ivanti and figured out a way to exploit prior versions in order to achieve remote code execution against unpatched systems. The development marks the first time UNC5221 has been attributed to the N-day exploitation of a security flaw in Ivanti devices.
“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Charles Carmakal, Mandiant Consulting CTO, said.
“These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
Update
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on April 4, 2025, added CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by April 11, 2025, to safeguard against active exploitation efforts.
The agency has also recommended customers to conduct a factory reset of the appliances “for the highest level of confidence,” isolate and disconnect affected instances from the network in the event of a compromise, and rotate passwords.
“It is vital organizations do their own analysis and that the industry continues to review vulnerabilities and their exploitability and impact independently when making risk decisions,” said watchTowr CEO Benjamin Harris.
