Ivanti addressed a critical remote code execution flaw in Connect Secure, which has been exploited since at least mid-March 2025.
Ivanti released security updates to address a critical Connect Secure remote code execution vulnerability tracked as CVE-2025-22457. The vulnerability has been exploited by a China-linked threat actor since at least mid-March 2025.
Ivanti did not disclose details about the attack, however cybersecurity experts at Mandiant and Google Threat Intelligence Group (GTIG) linked the exploration attempts to an alleged China-linked cyberespionage group tracked as UNC5221.
The vulnerability is a stack-based buffer overflow that allows remote unauthenticated remote code execution.
The flaw impacts Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31, 2024), Ivanti Policy Secure and ZTA gateways. The software company addressed the vulnerability with the release of Connect Secure 22.7R2.6 (released February 11, 2025).
“We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 and earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure.” reads the advisory published by the company. “The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service. However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”
Ivanti will release security patches for ZTA and Policy Secure gateways on April 19 and 21. No exploits are known yet, but admins should monitor ICT logs and reset compromised devices.
Ivanti urges admins to monitor Integrity Checker Tool (ICT) for web server crashes and reset compromised devices before redeploying them with version 22.7R2.6.
According to Google GTIG, threat actor UNC5221 exploited the flaw since March 2025 to deploy TRAILBLAZE and BRUSHFIRE malware, along with SPAWN malware.
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
“Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor,” reads the Google’s report.. “Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, UNC5221)