Introduction
A critical vulnerability [1] [2] [4] [7] [8] [10], identified as CVE-2025-22457 [1] [3] [7] [10], has been discovered in Ivanti products, posing significant security risks. This vulnerability is actively exploited by the Chinese state-sponsored threat actor UNC5221, highlighting the urgent need for organizations to address this issue promptly.
Description
A critical vulnerability in Ivanti products [1] [10], identified as CVE-2025-22457 [1] [3] [7] [10], was disclosed on April 3, 2025, and is being actively exploited by the Chinese state-sponsored threat actor UNC5221. This stack-based buffer overflow flaw [1] [2] [4] [9] [10], which has a critical CVSS score of 9.0 [1] [10], affects Ivanti Connect Secure (ICS) versions 22.7R2.5 and earlier [4] [6] [7] [8] [10], as well as Pulse Connect Secure 9.1R18.9 and earlier, the latter of which reached end-of-support on December 31, 2024. Initially assessed as a low-risk denial of service [5] [8] [10], the vulnerability has been reclassified as critical due to its potential for remote code execution [5], allowing remote [2] [7] [9] [11], unauthenticated attackers to execute arbitrary code on affected systems [9] [11], potentially leading to full system compromise [9]. Real-world exploitation has been observed since mid-March 2025 [10], primarily targeting these vulnerable versions.
Upon successful exploitation [6] [8], UNC5221 has deployed a sophisticated multi-stage malware arsenal [1], including TRAILBLAZE [1] [4], an in-memory dropper [1] [6], and BRUSHFIRE [1] [4] [6] [7] [8], a stealthy backdoor that enables remote command execution based on specific TLS certificate strings [7]. The attack sequence involves exploiting the buffer overflow to run a shell script that targets running web processes [1], followed by the injection of TRAILBLAZE into memory [1], which delivers BRUSHFIRE into an active web service [1]. The group has also utilized elements of the SPAWN malware ecosystem, employing tools like SPAWNSLOTH [2] [4], SPAWNSNARE [1] [4], and SPAWNWAVE to evade detection and tamper with logs. Mandiant has noted that UNC5221 has a history of exploiting zero-day vulnerabilities in Ivanti products since 2023 [9], including CVE-2025-0282 [3] [9], CVE-2023-46805 [9], and CVE-2024-21887 [9]. The Google Threat Intelligence Group assesses that UNC5221 will continue to pursue zero-day exploits of edge devices [6], leveraging an obfuscation network of compromised appliances to mask their operations [6].
CVE-2025-22457 was patched in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025 [2] [11]. Organizations using Ivanti Connect Secure that have not updated to this version by February 28, 2025 [3], as well as all instances of Pulse Connect Secure [3], Ivanti Policy Secure [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and ZTA Gateways [1] [2] [3] [4] [5] [6] [11], are urged to take immediate action [3]. This includes applying the patches detailed in the Security Advisory for Ivanti Connect Secure [3], Policy Secure [1] [2] [3] [4] [5] [6] [7] [9] [11], and ZTA Gateways [1] [2] [3] [4] [5] [6] [11], and reporting any incidents or unusual activity to CISA’s 24/7 Operations Center [3]. Patches for Ivanti Policy Secure and Ivanti ZTA Gateways are scheduled for release on April 21 and April 19, 2025 [6] [11], respectively [3] [6] [7] [11]. Organizations are advised to disconnect vulnerable devices until these patches are available [3].
In cases where threat hunting indicates a compromise [3], organizations should isolate all confirmed affected devices from the network and maintain this isolation until the necessary guidance is followed and patches are applied [3]. Immediate reporting to CISA and Ivanti is also recommended for compromised devices [3]. Mandiant and Ivanti have urged all ISC customers using versions 22.7R2.6 and lower to apply the patches without delay [10]. Additionally, organizations are encouraged to monitor for suspicious activity using the Integrity Checker Tool (ICT) to mitigate risks associated with this vulnerability. Recommendations include checking for signs of compromise, monitoring external ICT for web server crashes [6], and performing a factory reset if necessary [1] [6]. The ongoing exploitation of this vulnerability underscores the urgent need for improved vulnerability management and faster threat intelligence sharing [2], as a significant percentage of exposed Ivanti/Pulse Connect Secure servers remain vulnerable [2].
Conclusion
The exploitation of CVE-2025-22457 by UNC5221 underscores the critical need for organizations to prioritize patch management and threat intelligence sharing. Immediate action is required to mitigate the risks associated with this vulnerability [8], including applying patches [5], isolating compromised devices [3], and monitoring for suspicious activity [8]. The persistent threat posed by state-sponsored actors like UNC5221 highlights the importance of robust cybersecurity measures and proactive vulnerability management to protect against future exploits.
References
[1] https://socradar.io/unc5221-targets-ivanti-cve-2025-22457-trailblaze-brushfire-malware/
[2] https://cybersecuritynews.com/ivanti-connect-secure-vulnerability-actively-exploited-in-the-wild/
[3] https://www.cisa.gov/news-events/alerts/2025/04/04/ivanti-releases-security-updates-connect-secure-policy-secure-zta-gateways-vulnerability-cve-2025
[4] https://securityonline.info/cve-2025-22457-unc5221-exploits-ivanti-zero-day-flaw-to-deploy-trailblaze-and-brushfire-malware/
[5] https://research.kudelskisecurity.com/2025/04/04/cve-2025-22457-critical-ivanti-connect-secure-vulnerability/
[6] https://www.helpnetsecurity.com/2025/04/03/ivanti-vpn-customers-targeted-via-unrecognized-rce-vulnerability-cve-2025-22457/
[7] https://www.csoonline.com/article/3954735/ivanti-warns-customers-of-new-critical-flaw-exploited-in-the-wild.html
[8] https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
[9] https://www.techworm.net/2025/04/trailblaze-burshfire-malware-in-ivanti.html
[10] https://www.infosecurity-magazine.com/news/chinese-state-hackers-ivanti-flaw/
[11] https://www.rapid7.com/blog/post/2025/04/03/etr-ivanti-connect-secure-cve-2025-22457-exploited-in-the-wild/
