A critical security vulnerability in Ivanti Connect Secure products is being actively exploited by Chinese state-sponsored hackers to deploy sophisticated malware, security researchers revealed.
The vulnerability (CVE-2025-22457), which received a CVSS score of 9.0, allows attackers to execute malicious code remotely on affected systems through a stack-buffer overflow weakness. While Ivanti patched this flaw in February 2025, researchers at Google's Mandiant have observed active exploitation since mid-March.
A Chinese threat group known as UNC5221 has leveraged this vulnerability to deploy two new malware families:
- TRAILBLAZE: An in-memory dropper that helps install additional malicious code
- BRUSHFIRE: A stealthy backdoor that hooks into SSL functions to receive commands
The attackers also utilized the SPAWN malware suite, which includes:
- SPAWNSLOTH: A tool for disabling system logging
- SPAWNSNARE: Software for extracting and encrypting Linux kernel data
- SPAWNWAVE: An enhanced version combining multiple malicious capabilities
"The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever," said Charles Carmakal, Mandiant Consulting CTO.
Affected Ivanti products and their fixed versions include:
- Ivanti Connect Secure (fixed in 22.7R2.6)
- Pulse Connect Secure (fixed in 22.7R2.6)
- Ivanti Policy Secure (fixed in 22.7R1.4)
- ZTA Gateways (fixed in 22.8R2.2)
Organizations using vulnerable versions should immediately update to the patched releases. If compromise is suspected, Ivanti recommends performing a factory reset before upgrading to the latest version.
This incident highlights an ongoing pattern of Chinese state actors targeting edge devices for espionage purposes, with UNC5221 having a history of exploiting zero-day vulnerabilities in various network security products.