A newly disclosed critical vulnerability in Ivanti Connect Secure (ICS) VPN appliances is being actively exploited in the wild by a suspected China-nexus espionage group, according to a joint investigation by Mandiant and Ivanti. The flaw, tracked as CVE-2025-22457, is a buffer overflow vulnerability that enables remote code execution (RCE) in ICS versions 22.7R2.5 and earlier.
While a patch addressing the vulnerability was issued in February 2025 (ICS version 22.7R2.6), exploitation of the unpatched versions began as early as mid-March, targeting both legacy ICS 9.X (now end-of-life) and vulnerable 22.7R2.5 systems. Mandiant’s analysis reveals the exploitation is part of a broader campaign by UNC5221, a well-resourced threat actor with ties to China.
A Sophisticated Intrusion Chain
Mandiant uncovered the deployment of two previously unknown malware families following successful exploitation:
-
TRAILBLAZE: An in-memory only dropper written in bare C, designed for stealth and minimal footprint. It injects malicious code directly into a legitimate web process.
-
BRUSHFIRE: A passive backdoor also written in C, operating as a hook into SSL_read functions. It stealthily waits for specific data patterns in encrypted traffic to execute and exfiltrate shellcode.
In addition to these tools, attackers leveraged the SPAWN malware ecosystem, previously attributed to UNC5221. This includes:
-
SPAWNSLOTH: A log-tampering tool disabling local and remote logging.
-
SPAWNSNARE: A utility to extract and encrypt the Linux kernel image.
-
SPAWNWAVE: A modular tool combining features of several SPAWN variants, capable of advanced post-exploitation operations.
The malware is deployed via a shell script dropper that orchestrates memory mapping, process injection, and rapid cleanup to ensure non-persistence and evade detection. Mandiant also observed efforts to tamper with Ivanti’s Integrity Checker Tool (ICT), highlighting the attackers’ deep familiarity with the ICS architecture.
From Patch to Exploit
Originally classified as a low-risk denial-of-service issue due to character space limitations, CVE-2025-22457 was later weaponized. Mandiant assesses that the attackers reverse-engineered the patch issued in February, identifying a complex path to exploit the bug for RCE—underscoring the risks of delayed patching.
Attribution to UNC5221
The Google Threat Intelligence Group (GTIG) attributes this campaign to UNC5221, a state-sponsored actor previously linked to multiple zero-day exploits against edge infrastructure, including:
-
CVE-2023-46805 and CVE-2024-21887 (Ivanti),
-
CVE-2023-4966 (NetScaler),
-
CVE-2025-0282 (ICS).
GTIG also reports UNC5221’s use of a global obfuscation network, comprising compromised Cyberoam appliances, QNAP devices, and ASUS routers, to conceal the origins of their intrusions.
“This group continues to exhibit a high operational tempo and significant investment in tailored malware and edge-device exploitation,” Mandiant noted.
Mitigation and Recommendations
Organizations using Ivanti ICS appliances are strongly advised to upgrade to version 22.7R2.6 or later immediately. Additional steps include:
-
Running the Integrity Checker Tool (ICT) internally and externally;
-
Monitoring for anomalies in web processes and core dumps;
-
Investigating suspicious TLS certificates presented to appliances;
-
Contacting Ivanti Support upon detecting irregularities.
This campaign underscores the persistent threats posed by advanced espionage actors targeting edge devices—exploiting both zero-day and patched vulnerabilities alike. It also serves as a sobering reminder: a patch delayed can mean a breach delivered.
