A critical security flaw in Ivanti Connect Secure has come under active exploitation, enabling sophisticated malware campaigns involving TRAILBLAZE and BRUSHFIRE. The issue, now patched, is being tracked as CVE-2025-22457, boasting a CVSS severity score of 9.0.
🔥 What Is CVE-2025-22457?
CVE-2025-22457 is a stack-based buffer overflow vulnerability that affects multiple Ivanti products. If successfully exploited, it allows unauthenticated remote attackers to execute arbitrary code and potentially take full control of vulnerable systems.
🎯 Affected Ivanti Products & Fixed Versions:
| Product | Affected Versions | Fixed In |
|---|---|---|
| Ivanti Connect Secure | 22.7R2.5 and prior | ✅ 22.7R2.6 (Patch released Feb 11, 2025) |
| Pulse Connect Secure | 9.1R18.9 and prior | ✅ 22.7R2.6 (Migration needed - EoS Dec 31, 2024) |
| Ivanti Policy Secure | 22.7R1.3 and prior | 🔜 22.7R1.4 (Available Apr 21, 2025) |
| Ivanti ZTA Gateways | 22.8R2 and prior | 🔜 22.8R2.2 (Available Apr 19, 2025) |
🛡️ Active Exploitation in the Wild
Ivanti confirmed limited targeted attacks against Connect Secure and end-of-life Pulse Secure appliances. Although there’s no current evidence of exploitation against Policy Secure or ZTA Gateways, users are urged to take precautionary measures.
🧬 Malware Delivered: TRAILBLAZE, BRUSHFIRE, SPAWN Suite
According to Google-owned Mandiant, attackers have exploited this vulnerability to deliver multiple advanced malware strains:
TRAILBLAZE – An in-memory dropper
BRUSHFIRE – A passive memory-injected backdoor
SPAWN – A malware suite for persistence and stealth
🧰 Components of the SPAWN Malware Ecosystem:
SPAWNSLOTH – Disables logging and external syslog forwarding
SPAWNSNARE – Extracts and encrypts Linux kernel images
SPAWNWAVE – An evolved variant combining elements of SPAWNANT and SPAWNCHIMERA
These tools work in unison to establish long-term backdoor access, evade detection, exfiltrate data, and move laterally across networks.
🕵️ Attribution: China-Linked Threat Actor UNC5221
Mandiant attributes this campaign to UNC5221, a threat cluster with known ties to China-nexus espionage. This group has a history of exploiting zero-day flaws in Ivanti Connect Secure (ICS) devices and operating stealthily through:
Compromised infrastructure (e.g., QNAP, ASUS, Cyberoam)
Tradecraft overlap with groups like APT27, Silk Typhoon (Microsoft’s term), and UTA0178
"UNC5221 is highly adept at targeting edge appliances using both zero-day and N-day exploits. Their techniques are evolving, and they’re bypassing traditional EDR solutions with custom malware." – Charles Carmakal, CTO, Mandiant Consulting
⚠️ Urgent Recommendations
To mitigate the risk:
🔄 Upgrade immediately to patched versions (see table above).
🔍 Inspect ICT logs and look for signs of unauthorized access or system crashes.
🛠️ If compromised, factory reset and re-deploy using the latest secure firmware.
🧰 Monitor for unusual activity using network threat intelligence and behavioral analytics.
💡 Final Thoughts
The active exploitation of CVE-2025-22457 serves as a stark reminder that edge devices remain high-value targets for cyber espionage groups. As UNC5221 ramps up its operations, staying patched, vigilant, and proactive is your best defense.
🔐 Stay informed, stay secure.