Ivanti VPN Users Under Attack Hackers Exploit Critical Bug with New Malware

Security researchers are sounding the alarm: a critical vulnerability in Ivanti Connect Secure is being actively exploited in the wild. Ivanti has already released patches, so let's break down what's happening.

The vulnerability, labeled CVE-2025-22457, has a CVSS score of 9.0, marking it as highly severe. It's a stack-based buffer overflow, meaning attackers can potentially run their own code on vulnerable systems.

Ivanti explained that this flaw allows "a remote unauthenticated attacker to achieve remote code execution" in specific versions of their products.

Which Products Are Affected?

Here's the rundown of affected products and their corresponding fixes:

• Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (released February 11, 2025)
• Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti for migration assistance, as this product is end-of-life as of December 31, 2024)
• Ivanti Policy Secure (versions 22.7R1.3 and prior) - Fixed in version 22.7R1.4 (Available April 21)
• ZTA Gateways (versions 22.8R2 and prior) - Fixed in version 22.8R2.2 (Available April 19)

According to Ivanti, some Connect Secure and Pulse Connect Secure users have already been targeted. Thankfully, there's no current evidence of Policy Secure or ZTA gateways being exploited said.

Ivanti advises monitoring your external ICT (Information and Communications Technology) infrastructure for web server crashes. If you suspect a compromise, they recommend a factory reset and then restoring the appliance with version 22.7R2.6.

Don't Forget Previous Patches!

It's also worth noting that Connect Secure version 22.7R2.6 already addressed several other critical vulnerabilities (CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644) that could allow attackers to write arbitrary files and execute code remotely.

What are the Hackers Up To?

Google's Mandiant team reported seeing CVE-2025-22457 being exploited in mid-March 2025. Attackers were using it to deliver a dropper called TRAILBLAZE, a backdoor named BRUSHFIRE, and the SPAWN malware suite.

The attack sequence involves a multi-stage shell script dropper that executes TRAILBLAZE. Then, BRUSHFIRE gets injected directly into the memory of a web process to avoid detection. The goal? To establish persistent backdoor access, potentially leading to stolen credentials, further network breaches, and data theft.

The SPAWN Malware Ecosystem

The SPAWN malware suite includes these components:

• SPAWNSLOTH: A utility for tampering with logs, disabling logging and log forwarding.
• SPAWNSNARE: A program that extracts the uncompressed linux kernel image and encrypts it.
• SPAWNWAVE: An improved version of SPAWNANT, combining elements from other SPAWN variants.

This activity is linked to a China-nexus group called UNC5221, which has a history of exploiting zero-day flaws in Ivanti Connect Secure devices. Other related groups include UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.

UNC5221 may also be connected to groups like APT27, Silk Typhoon, and UTA0178, although this connection isn't definitively confirmed.

"Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities," said Dan Perez, China Mission Technical Lead, Google Threat Intelligence Group.

Hiding Their Tracks

Besides exploiting zero-day vulnerabilities like CVE-2023-4966 in Citrix NetScaler devices, UNC5221 uses compromised Cyberoam appliances, QNAP devices, and ASUS routers to hide their true location during attacks. Microsoft highlighted this tactic, calling it Silk Typhoon's latest tradecraft.

Researchers believe the attackers likely reverse-engineered the February Ivanti patch to find ways to exploit older, unpatched systems. This marks the first time UNC5221 has been linked to N-day exploitation of Ivanti flaws.

"This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups," said Charles Carmakal, Mandiant Consulting CTO.

"These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don't support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever."

Update: CISA Adds Vulnerability to KEV Catalog

On April 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the fixes by April 11, 2025.

CISA also recommended performing a factory reset of affected appliances, isolating compromised instances from the network, and rotating passwords.

"It is vital organizations do their own analysis and that the industry continues to review vulnerabilities and their exploitability and impact independently when making risk decisions," said watchTowr CEO Benjamin Harris.