Hackers are targeting Ivanti VPN users again – here’s what you need to know
Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that’s been exploited by a China-linked espionage group since at least the middle of March.
Tracked as CVE-2025-22457, the critical severity vulnerability impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, which reached end-of-support at the end of last year), Ivanti Policy Secure (versions 22.7R1.3 and prior) and ZTA Gateways (versions 22.8R2 and prior).
In a security advisory published by Mandiant, the firm said there’s evidence of active exploitation in the wild, with the espionage group successfully achieving remote code execution (RCE) and deploying malware.
“Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor,” said Mandiant.
“Additionally, deployment of the previously reported Spawn ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.”
The vulnerability is a buffer overflow with a limited character space, and as such was initially believed to be a low-risk denial-of-service vulnerability. But while a patch was released on February 11, Mandiant believes the group was able to analyze the patch and find a way to exploit 22.7R2.5 and earlier to achieve the remote code execution.
“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” Ivanti explained.
“However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild.”
CISA responds to Ivanti threats
Google Threat Intelligence Group (GTIG) said UNC5221 has targeted a wide range of countries and verticals during its operations, and has made use of an extensive set of tooling, from passive backdoors to trojanized legitimate components on various edge appliances.
The group has a consistent history of success and an aggressive modus operandi, and GTIG believes it will continue to pursue zero-day exploitation of edge devices.
“This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws,” Mandiant said.
“This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for at-risk enterprises.
In addition to applying the relevant security patches, the agency urged organizations to run an external Integrity Checker Tool (ICT) and conduct threat hunt actions on any systems connected to — or recently connected to — the affected Ivanti device.
For the highest level of confidence, it said, they should conduct a factory reset.
MORE FROM ITPRO
- INSERT STORY LINK
- INSERT STORY LINK
- INSERT STORY LINK
Source link
