Skip to content
Contact us

Active Exploitation of Ivanti VPN Vulnerability by Advanced Persistent Threat Group

Picture of The 1898 & Co. Team

Recent cybersecurity developments have highlighted a significant threat involving the exploitation of a previously unrecognized remote code execution (RCE) vulnerability, CVE-2025-22457, in Ivanti Connect Secure (ICS) and Pulse Connect Secure appliances. This vulnerability, initially deemed non-exploitable, has been leveraged by a suspected Chinese advanced persistent threat (APT) group, identified as UNC5221, to compromise systems running ICS 22.7R2.5 or earlier versions. The vulnerability was patched in ICS 22.7R2.6, released in February 2025, but active exploitation has been observed in the wild against older versions.

The attackers have deployed new malware families, including TRAILBLAZE and BRUSHFIRE, alongside elements of the SPAWN malware ecosystem. These tools are used to maintain persistence and evade detection on compromised systems. The threat actor has also utilized an obfuscation network of compromised devices to mask their activities, indicating a sophisticated and persistent approach to exploitation.

This incident underscores the ongoing trend of APT groups targeting edge devices with zero-day vulnerabilities. The exploitation of CVE-2025-22457 is part of a broader pattern of attacks by UNC5221, who have previously targeted Ivanti and other vendors' solutions. Organizations using affected Ivanti products are advised to upgrade to the latest versions and monitor for signs of compromise.

Threats and Vulnerabilities

CVE-2025-22457 is a buffer overflow vulnerability affecting Ivanti Connect Secure versions 22.7R2.5 and earlier, as well as Pulse Connect Secure 9.x, which is no longer supported. The vulnerability allows remote code execution, enabling attackers to deploy malware and gain unauthorized access to systems. Exploitation has been confirmed in the wild, with attackers deploying sophisticated malware to maintain persistence and evade detection.

The threat actor, UNC5221, has a history of exploiting zero-day vulnerabilities in Ivanti's solutions and other vendors' products. Their use of new malware families such as TRAILBLAZE and BRUSHFIRE, along with the SPAWN malware ecosystem, highlights their capability to conduct complex intrusion operations. The group's use of an obfuscation network further complicates detection and attribution efforts.

Client Impact

Clients using vulnerable versions of Ivanti Connect Secure and Pulse Connect Secure may face significant risks, including operational disruptions due to unauthorized access and control over their systems. Data breaches could result from the deployment of malware that exfiltrates sensitive information. Financial consequences may arise from remediation costs and potential regulatory fines if compliance requirements are not met.

The relevance of this threat is particularly high for organizations relying on Ivanti's VPN solutions for secure remote access. Compliance implications include potential audits or penalties if data protection regulations are violated due to unauthorized access or data breaches.

Mitigations

To mitigate the risks associated with CVE-2025-22457, clients should consider the following actions:

  1. Upgrade all Ivanti Connect Secure appliances to version 22.7R2.6 or later to address the vulnerability.
  2. For Pulse Connect Secure 9.x users, contact Ivanti for assistance in migrating to a secure platform.
  3. Monitor external Integrity Checker Tool (ICT) results for signs of compromise and perform factory resets if necessary.
  4. Actively monitor for core dumps related to web processes and investigate ICT statedump files for anomalies.
  5. Implement anomaly detection for client TLS certificates presented to the appliance.
  6. Utilize provided YARA rules and malware hashes to detect known malicious activity.

These measures aim to reduce the risk of exploitation and maintain the integrity of affected systems. Continuous monitoring and timely updates are crucial in defending against sophisticated threats like those posed by UNC5221.

1898 & Co. Response

1898 & Co is actively addressing the current threat landscape by offering specialized services designed to enhance clients' cybersecurity posture against emerging threats like CVE-2025-22457. Our team provides tailored vulnerability assessments and patch management solutions to ensure clients' systems are up-to-date with the latest security patches.

We are collaborating with industry partners and leveraging threat intelligence networks to stay informed about new vulnerabilities and attack vectors. Our ongoing research efforts focus on identifying potential threats early and developing effective mitigation strategies.

Our incident response services are available to assist clients in detecting and responding to potential compromises swiftly. We have successfully helped organizations recover from similar incidents by implementing robust security measures and conducting thorough forensic investigations.

Sources

  1. Ivanti Security Advisory on CVE-2025-22457
  2. CVE Details for CVE-2025-22457
  3. Google brief on threat actor UNC5221