Chinese State Hackers Exploit Critical Ivanti Flaw to Deploy Advanced Malware

· 1 min read

article picture

A critical security vulnerability in Ivanti Connect Secure products is being actively exploited by Chinese state-sponsored hackers to deploy sophisticated malware, security researchers revealed.

The vulnerability (CVE-2025-22457), which received a CVSS score of 9.0, allows attackers to execute malicious code remotely on affected systems through a stack-buffer overflow weakness. While Ivanti patched this flaw in February 2025, researchers at Google's Mandiant have observed active exploitation since mid-March.

A Chinese threat group known as UNC5221 has leveraged this vulnerability to deploy two new malware families:

  • TRAILBLAZE: An in-memory dropper that helps install additional malicious code
  • BRUSHFIRE: A stealthy backdoor that hooks into SSL functions to receive commands

The attackers also utilized the SPAWN malware suite, which includes:

  • SPAWNSLOTH: A tool for disabling system logging
  • SPAWNSNARE: Software for extracting and encrypting Linux kernel data
  • SPAWNWAVE: An enhanced version combining multiple malicious capabilities

"The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever," said Charles Carmakal, Mandiant Consulting CTO.

Affected Ivanti products and their fixed versions include:

  • Ivanti Connect Secure (fixed in 22.7R2.6)
  • Pulse Connect Secure (fixed in 22.7R2.6)
  • Ivanti Policy Secure (fixed in 22.7R1.4)
  • ZTA Gateways (fixed in 22.8R2.2)

Organizations using vulnerable versions should immediately update to the patched releases. If compromise is suspected, Ivanti recommends performing a factory reset before upgrading to the latest version.

This incident highlights an ongoing pattern of Chinese state actors targeting edge devices for espionage purposes, with UNC5221 having a history of exploiting zero-day vulnerabilities in various network security products.