Cybersecurity researchers at Ivanti have discovered and patched a critical remote code execution (RCE) vulnerability in their Connect Secure product line, which Chinese threat actors have been actively exploiting since March 2025. The vulnerability, tracked as CVE-2025-22457, has been leveraged to deploy sophisticated malware across affected systems.
Understanding the Technical Impact
The vulnerability manifests as a stack-based buffer overflow with limited character set restrictions, affecting multiple Ivanti products including Pulse Connect Secure 9.1x, Ivanti Connect Secure versions 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways. What makes this vulnerability particularly dangerous is that it requires no authentication or user interaction to exploit, potentially allowing attackers to gain immediate unauthorized access to affected systems.
Threat Actor Profile and Attack Methodology
Security researchers from Mandiant and Google’s Threat Intelligence Group have attributed the attacks to UNC5221, a sophisticated Chinese threat group. The attackers deployed two novel malware variants: TRAILBLAZE, a memory-resident dropper, and BRUSHFIRE, a passive backdoor. Additionally, the group utilized their previously known SPAWN malware in these campaigns.
Remediation Steps and Security Advisory
Ivanti has released security update version 22.7R2.6 on February 11, 2025, which fully addresses the vulnerability. Security administrators are strongly advised to:
– Immediately upgrade to version 22.7R2.6
– Conduct regular system scans using the Integrity Checker Tool (ICT)
– Perform a complete factory reset if compromise indicators are detected
– Implement network segmentation and enhanced monitoring
Historical Context and Broader Implications
The UNC5221 group, active since 2023, has established a pattern of exploiting zero-day vulnerabilities in network edge devices. Earlier in 2025, they successfully leveraged another Ivanti vulnerability (CVE-2025-0282) to distribute Dryhook and Phasejam malware. This latest incident demonstrates their continued focus on targeting critical infrastructure components.
This security incident serves as a crucial reminder of the evolving threat landscape facing network security appliances. Organizations must maintain vigilant security practices, including prompt patch management, continuous security monitoring, and comprehensive incident response planning. The sophisticated nature of these attacks emphasizes the critical importance of implementing defense-in-depth strategies and maintaining up-to-date security controls across all network infrastructure components.
