Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.

Tracked as CVE-2025-22457, this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.

According to Ivanti’s advisory, remote threat actors can exploit it in high-complexity attacks that don’t require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Ivanti Connect Secure 22.7R2.6 after initially tagging it as a product bug.

“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” Ivanti said on Thursday.

“However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”

While security patches for ZTA and Ivanti Policy Secure gateways are still in development and will be released on April 19 and April 21, respectively, Ivanti said that it’s “not aware of any exploitation” targeting these gateways, which also have what “meaningfully reduced risk from this vulnerability.”

Ivanti also advised admins to monitor their external Integrity Checker Tool (ICT) and look for web server crashes. If any signs of compromise are discovered, admins should factory reset impacted appliances and put them back in production using software version 22.7R2.6.

Attacks linked to UNC5221 Chinese-nexus cyberspies

While Ivanti has yet to disclose more details regarding CVE-2025-22457 attacks, Mandiant and Google Threat Intelligence Group (GTIG) security researchers revealed today that a suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since at least mid-March 2025.

“Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed,” Mandiant said.

“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.”

UNC5221 is known for targeting zero-day vulnerabilities in network edge devices since 2023, including various Ivanti and NetScaler appliances. Most recently, the Chinese hackers exploited CVE-2025-0282, another Ivanti Connect Secure buffer overflow, to drop new Dryhook and Phasejam malware on compromised VPN appliances.

One year ago, the hacking group also chained two Connect Secure and Policy Secure zero-days (CVE-2023-46805 and CVE-2024-21887) to remotely execute arbitrary commands on targeted ICS VPN and IPS network access control (NAC) appliances. One of their victims was the MITRE Corporation, which disclosed the breach in April 2024.

​Threat intelligence company Volexity said in January 2024 that UNC5221 had backdoored over 2,100 Ivanti appliances using the GIFTEDVISITOR webshell in attacks chaining the two zero days.

As CISA and the FBI warned in January 2025, attackers are still breaching vulnerable networks using exploits targeting Ivanti Cloud Service Appliances (CSA) security vulnerabilities patched since September. Multiple other Ivanti security flaws have been exploited as zero-days over the last year against the company’s VPN appliances and ICS, IPS, and ZTA gateways.

Update April 03, 14:16 EDT: Ivanti CSO Daniel Spicer sent the following statement after the story was published.

Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments. To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.