Ivanti has disclosed details of a now-patched important safety risk impacting its Connect Secure that has come under effective abuse in the wild.
The vulnerability, tracked as CVE-2025-22457 ( CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems.
” A stack-based cushion overflow in Ivanti Connect Secure before type 22.7R2.6, Ivanti Policy Secure before type 22.7R1.4, and Ivanti ZTA Gateways before type 22.8R2.2 allows a distant unauthenticated intruder to reach remote code execution”, Ivanti in an alert released Thursday.
The weakness impacts the following goods and versions-
- Ivanti Connect Secure (versions 22.7R2.5 and prior )- Fixed in version 22.7R2.6 ( Patch released on February 11, 2025 )
- Pulse Connect Secure (versions 9.1R18.9 and prior )- Fixed in version 22.7R2.6 ( Contact Ivanti to migrate as the device has reached end-of-support as of December 31, 2024 )
- Ivanti Policy Secure (versions 22.7R1.3 and before )- Fixed in version 22.7R1.4 ( To be obtainable on April 21 )
- ZTA Gateways (versions 22.8R2 and before )- Fixed in type 22.8R2.2 ( To be obtainable on April 19 )
The firm it’s conscious of a “limited number of customers” whose Associate Safe and end-of-support Pulse Connect Secure devices have been exploited. There is no evidence that Policy Secure or ZTA portals have come under in-the-wild abuse.
” Buyers should monitor their external Internet and look for web site crashes”, Ivanti noted. ” If your ICT outcome shows signs of bargain, you should do a factory reset on the product and therefore put the equipment back into production using type 22.7R2.6″.
It’s worth mentioning here that Connect Secure version 22.7R2.6 also multiple critical vulnerabilities ( CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644 ) that could permit a remote authenticated attacker to write arbitrary files and execute arbitrary code.
Google-owned Mandiant, in a report of its own, said it observed evidence of abuse of CVE-2025-22457 in mid-March 2025, allowing the danger actors to provide an in-memory drop called TRAILBLAZE, a silent secret codenamed BRUSHFIRE, and the SPAWN malware suite.
The attack chain essentially involves the use of a multi-stage shell script dropper to execute TRAILBLAZE, which then injects BRUSHFIRE directly into the memory of a running web process in an attempt to sidestep detection. The exploitation activity is designed to establish persistent backdoor access on compromised appliances, potentially enabling credential theft, further network intrusion, and data exfiltration.
The use of SPAWN is to a China-nexus adversary tracked as UNC5221, which has a of zero-day flaws in Ivanti Connect Secure ( ICS) devices, alongside such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.
UNC5221, per the U. S. government, has also been assessed to share overlaps with threat groups such as APT27, Silk Typhoon, and UTA0178. However, the threat intelligence firm told The Hacker News that it does not have enough evidence on its own to confirm this connection.
” Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities”, Dan Perez, China Mission Technical Lead, Google Threat Intelligence Group, told the publication.
” The link between this cluster and APT27 made by the government is plausible, but we do not have independent evidence to confirm. Silk Typhoon is Microsoft’s name for this activity, and we can’t speak to their attribution”.
UNC5221 has also been observed leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations, an aspect also by Microsoft early last month, detailing Silk Typhoon’s latest tradecraft.
The company further theorized that the threat actor likely analyzed the February patch released by Ivanti and figured out a way to exploit prior versions in order to achieve remote code execution against unpatched systems. The development marks the first time UNC5221 has been attributed to the N-day exploitation of a security flaw in Ivanti devices.
” This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups”, Charles Carmakal, Mandiant Consulting CTO, said.
” These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever”.