Ivanti is warning customers that a critical vulnerability that impacts its VPN appliances and other products has already been exploited in the wild by a Chinese APT group. The flaw was originally flagged by Ivanti as a denial-of-service issue, but attackers figured out how to exploit it for remote code execution.
The vulnerability, now tracked as CVE-2025-22457 with a severity score of 9.0 (Critical) on the CVSS scale, was exploited to deploy two new malware programs on Ivanti Connect Secure appliances versions 22.7R2.5 and earlier and Pulse Connect Secure 9.1x appliances that had reached end-of-support in December.
It’s worth noting that version 22.7R2.6 of Ivanti Connect Secure, released in February, contains a fix for this issue, but it was originally considered a product bug, not a vulnerability.
“The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability,” incident responders from Google-owned Mandiant wrote in a report on the flaw. “We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.”
The vulnerability also impacts Ivanti Policy Secure and Ivanti Neurons ZTA gateways when they are generated and left unconnected to a ZTA controller. These products don’t have patches available yet, but active exploitation has not currently been observed and exploitation is less likely because Ivanti Policy Secure is not meant to be connected to the internet and ZTA gateways can’t be exploited when deployed in production correction.
Ivanti estimates patches for ZTA gateways and Policy Secure will be released on April 19 and April 21, respectively. Pulse Connect Secure, being end-of-life, will not receive a patch for this issue and is already being targeted for active exploitation.
Known APT group deploys new malware
The Google Threat Intelligence Group (GTIG) and Mandiant started seeing attacks exploiting this vulnerability in mid-March and attributed the attacks to a Chinese cyberespionage group it tracks as UNC5221.
UNC5221 has been engaged in zero-day exploitation of network edge devices, including those from Ivanti and Citrix NetScaler, since 2023. Previously targeted vulnerabilities include CVE-2025-0282, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure; and CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances.
The group is known for the deployment of custom malware and backdoors from a toolkit Mandiant has dubbed SPAWN. These tools have also been used in the new attacks investigated by Google, along with two completely new malware programs.
Following successful exploitation of CVE-2025-22457, the attackers deploy a shell script that then executes a malware dropper that Mandiant researchers have dubbed TRAILBLAZE. This dropper exists only in the system memory without creating files on disk; its goal is to inject a passive backdoor into the legitimate /home/bin/web process.
The backdoor, dubbed BRUSHFIRE, hooks the SSL_read function to check whether the TLS certificates presented to the web server contain a special string. If the string is present, it will decrypt and execute the shellcode contained in the data portion. This is a way for attackers to remotely execute commands and additional payloads on the compromised appliances.
As in previous attacks, UNC5221 also attempts to modify the internal Ivanti Integrity Checker Tool (ICT) to evade detection. This tool can be used to perform scans on the appliances to discover whether any files have been modified.
Remediation
Organizations are urged to immediately update their Ivanti Connect Secure appliances to version 22.7R2.6 released in February or later to address CVE-2025-22457. Customers should also use the external version of the Integrity Checker Tool and look for web server crashes.
“If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6,” Ivanti said in its advisory.
“To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance,” the Mandiant researchers said.