Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)

April 4, 2025

A suspected Chinese APT group has exploited CVE-2025-22457 – a buffer overflow bug that was previously thought not to be exploitable – to compromise appliances running Ivanti Connect Secure (ICS) 22.7R2.5 or earlier or Pulse Connect Secure 9.1x.

CVE-2025-22457

The vulnerability was patched by Ivanti in ICS 22.7R2.6, released on February 11, 2025. But, apparently, the threat actor studied the patch and “uncovered through a complicated process, [that] it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” Mandiant (Google) incident responders have revealed.

“Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”

CVE-2025-22457 exploited, old and new malware used

Temporarily labeled as UNC5221, the suspected China-nexus espionage actor is believed to be the same one who previously exploited several zero-day bugs in Ivanti’s solutions: CVE-2025-0282, CVE-2023-46805 and CVE-2024-21887. They have also been behind zero-day attacks hitting NetScaler ADC and NetScaler Gateway appliances via CVE-2023-4966, aka “CitrixBleed”.

“The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025,” Google’s researchers noted.

Once in, the attackers deployed two new malware families – the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor – as well as elements of the SPAWN malware ecosystem that was seen in previous UNC5221 attacks, including:

SPAWNSLOTH – a log tampering utility
SPAWNSNARE – a utility used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it
SPAWNWAVE – a tool combining the capabilities of the SPAWNCHIMERA and RESURGE malware families
A modified version of Ivanti’s Integrity Checker Tool (ICT) to evade detection

“[Google Threat Intelligence Group (GTIG)] assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo. Additionally, (…) GTIG has observed UNC5221 leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations,” Google’s experts added.

What to do?

“[CVE-2025-22457] is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” according to Ivanti.

It affects Ivanti Connect Secure versions 22.7R2.5 and earlier, Pulse Connect Secure 9.x (which reached end-of-support in December 2024), Ivanti Policy Secure and ZTA gateways.

The latter two solutions are somewhat protected and there’s no indication they have been targeted.

But a “limited” number of customers running vulnerable Ivanti Connect Secure and Pulse Connect Secure have been affected.

As noted before, CVE-2025-22457 was fixed in Ivanti Connect Secure 22.7R2.6 and users should upgrade to that or a later version. Since Pulse Connect Secure 9.x is no longer supported, Ivanti advises customers to get in touch so they can assist them in a migration to “a secure platform.”

Patches for the flaw in Ivanti Policy Secure and ZTA Gateways are being developed and will be released on April 21 and April 19, respectively.

Customers who are part of the pool of possible victims – i.e., those who are still running a vulnerable Ivanti Connect Secure and Pulse Connect Secure version – should check whether their devices have been compromised.

“Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6,” the company advised.

“To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance,” Google’s professionals have advised, and they have also released hashes of the malware used and YARA rules to detect some of it.