- Ivanti recently patched a critical severity flaw in Connect Secure VPN
- Mandiant says the bug is being used in the wild by Chinese actors
- Two new malware strains were discovered
Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances which was allegedly being abused in the wild by Chinese state-sponsored actors.
Researchers at Mandiant published a new security advisory stating Ivanti discovered and fixed a buffer overflow vulnerability in ICS 9.X (unsupported) and 22.7R2.5 and earlier versions. The vulnerability is tracked as CVE-2025-22457, and carries a severity score of 9.0/10 (critical).
At first, no one was aware of the bug’s disruptive potential, Mandiant explained, but later - evidence of remote code execution (RCE) attacks were discovered.
Cyber-espionage
In these attacks, allegedly conducted by a threat actor tracked as UNC5221, two new malware variants were used: TRAILBLAZE, and BUSHFIRE.
The former is an in-memory only dropper, while the latter is a passive backdoor. Furthermore, the researchers saw cybercriminals dropping malware from the SPAWN ecosystem, as well.
UNC5221 is a known, China-nexus espionage actor that was observed, on multiple occasions, targeting vulnerable Ivanti instances. For example, in early January this year, Ivanti said it saw two flaws - CVE-2025-0282 and CVE-2025-0283 - being abused by this threat actor. Both were impacting Ivanti Connect Secure VPN appliances.
In these attacks, SPAWN variants were also used.
Mandiant says that this CVE was probably first used in mid-March 2025, a month after the patch was released.
“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the researchers said.
Ivanti has released fixes for the exploited vulnerabilities and its customers are advised to upgrade their endpoints without hesitation, since the flaws are being actively targeted.
“Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments," Daniel Spicer, Ivanti CSO, told TechRadar Pro in a written statement.
"To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”
You might also like
- Ivanti warns another critical security flaw is being attacked
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.