Ivanti CVE-2025-22457 Under Active Attack

A threat group suspected to be located in China is exploiting a newly disclosed critical vulnerability in the Ivanti Connect Secure, Pulse Secure, and ZTA Gateway products, installing previously unknown malware on the compromised appliances. 

CVE: CVE-2025-22457

Why It Matters: Ivanti’s products are frequent targets for cybercriminals and APT groups and active exploitation of a new vulnerability is always a concern. The flaw is a buffer overflow that was originally thought to just be a denial-of-service issue when it was fixed in February. However, researchers recently identified exploitation of the flaw that led to remote code execution. Researchers fro Google’s Mandiant security team analyzed the vulnerability and exploit activity and found that the attackers, who they assess are from China, are using the vulnerability to compromise some versions of Ivanti Connect Secure appliances and load newly discovered malware on them. 

“Following successful exploitation, Mandiant observed the deployment of two newly identified malware families tracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper. Mandiant has also observed the deployment of the SPAWN ecosystem of malware. Additionally, similar to previously observed behavior, the actor attempted to modify the Integrity Checker Tool (ICT) in an attempt to evade detection,” Mandiant researchers said. 

Key Details: CVE-2025-22457 affects Pulse Connect Secure 9.1x (EoS), Ivanti Connect Secure (22.7R2.5 and earlier), Policy Secure, ZTA Gateways. The exploitation that the Mandiant researchers observed specifically targeted the ICS 9.x and 22.7R2.5 and earlier versions. 

“Google Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN ecosystem of malware to the suspected China-nexus espionage actor UNC5221. GTIG has previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, as well as the exploitation CVE-2023-46805 and CVE-2024-21887,” Mandiant said.

“Furthermore, GTIG has also previously observed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances. UNC5221 has targeted a wide range of countries and verticals during their operations, and has leveraged an extensive set of tooling, spanning passive backdoors to trojanized legitimate components on various edge appliances.”

What to Do Now: Apply the patch as soon as possible. With active exploitation underway, time is of the essence.