Ivanti has revealed a critical security vulnerability affecting its Connect Secure appliances, tracked as CVE-2025-22457. This vulnerability, caused by a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code. It impacts versions of Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways prior to specified patch releases. The company’s security advisory highlights that while the vulnerability was initially downplayed as a product bug, it has now been identified as exploitable in the wild, compromising several customers.
The flaw was first patched in February 2025 with the release of Ivanti Connect Secure version 22.7R2.6, but exploitation evidence emerged in mid-March 2025. Google’s Mandiant observed a China-linked threat actor, identified as UNC5221, using the vulnerability to deploy sophisticated malware, including the TRAILBLAZE in-memory dropper and the BRUSHFIRE backdoor.
This actor is notorious for exploiting zero-day vulnerabilities in Ivanti devices, and this attack marks the first known exploitation of the vulnerability in Ivanti’s products.
The attack chain involves multi-stage scripts that drop malware into memory, bypassing detection systems. The SPAWN malware suite, attributed to UNC5221, is also part of the exploitation, enabling credential theft and potential data exfiltration. Mandiant researchers tracked this group’s activities, linking them to previous exploits of Ivanti devices and other network-edge devices.
The threat group uses an obfuscation network to mask the true source of attacks, complicating attribution and mitigation efforts.
Ivanti has emphasized the importance of updating to the patched version of Connect Secure (22.7R2.6) immediately, as it resolves the vulnerability. Patches for Ivanti Policy Secure and ZTA Gateways are still in development but are expected by mid-April 2025. Ivanti recommends customers use its Integrity Checker Tool to monitor for any signs of compromise and to perform a factory reset if necessary. The company’s response underscores the growing threat posed by sophisticated, persistent cyber actors targeting critical infrastructure globally.
