Ivanti has rolled out important security patches for a serious vulnerability in its Connect Secure VPN appliances. The flaw, tracked as CVE-2025-22457, has been actively exploited by China-linked cyber spies since at least mid-March 2025.
This vulnerability is a stack-based buffer overflow issue that allows remote code execution. In simple terms, attackers can run malicious code on affected systems from a distance — without needing any login credentials or user interaction. Ivanti confirmed the flaw affects multiple products, including:
Ivanti Connect Secure (version 22.7R2.5 and earlier)
Ivanti Policy Secure (22.7R1.3 and earlier)
Pulse Connect Secure (9.1x, which reached end-of-support in December 2024)
Neurons for ZTA gateways (22.8R2 and earlier)
Exploited Since March, Patch Released in February
Though attackers have been exploiting this flaw since March, Ivanti had quietly released a patch back on February 11, 2025, with version 22.7R2.6. At that time, the vulnerability was misclassified as a product bug and not considered a serious security risk.
Ivanti originally stated that the buffer overflow was not exploitable for remote code execution due to restrictions in the input (limited to periods and numbers). However, recent investigations with security partners revealed that advanced attackers found a way to bypass those limits and successfully exploit the flaw in the wild.
Now aware of active exploitation, Ivanti strongly urges all customers to update to version 22.7R2.6 or later immediately.
Patches for Other Products Coming Soon
While Ivanti Connect Secure has already been patched, updates for other affected products are still on the way:
| Product | Affected Versions | Fixed Version | Patch Release Date |
|---|---|---|---|
| Ivanti Connect Secure | 22.7R2.5 and earlier | 22.7R2.6 | Released (Feb 2025) |
| Pulse Connect Secure | 9.1R18.9 and earlier | 22.7R2.6 | Contact Ivanti to migrate |
| Ivanti Policy Secure | 22.7R1.3 and earlier | 22.7R1.4 | April 21 |
| ZTA Gateways | 22.8R2 and earlier | 22.8R2.2 | April 19 |
Ivanti noted that no exploitation has been observed on the ZTA and Policy Secure gateways, and the risk for those systems is currently considered low.
China-Linked UNC5221 Behind the Attacks
Cybersecurity researchers from Mandiant and Google Threat Intelligence Group (GTIG) have linked the attacks to UNC5221, a China-nexus espionage group that has a history of targeting zero-day flaws in edge network devices.
After exploiting CVE-2025-22457, the group deployed two new malware strains:
TRAILBLAZE – a memory-resident dropper
BRUSHFIRE – a passive backdoor
Additionally, previously known SPAWN malware related to UNC5221 was also observed in these attacks.
Mandiant believes the attackers reverse-engineered the February patch (22.7R2.6) to identify the underlying vulnerability and figured out how to exploit it in earlier versions like 22.7R2.5.
A Pattern of Persistent Exploitation
UNC5221 has been on the radar for multiple high-profile exploits. In early 2024, the group chained two zero-day vulnerabilities — CVE-2023-46805 and CVE-2024-21887 — to hack into MITRE Corporation’s network. They have also exploited another Ivanti flaw, CVE-2025-0282, to drop Dryhook and Phasejam malware on vulnerable systems.
In January 2024, Volexity reported that UNC5221 had backdoored over 2,100 Ivanti appliances using a web shell called GIFTEDVISITOR, highlighting just how widespread and coordinated these attacks can be.
What Admins Should Do Now
Ivanti advises system administrators to:
Immediately upgrade Connect Secure to version 22.7R2.6 or later.
Use the Integrity Checker Tool (ICT) to detect any signs of compromise.
Monitor for unusual web server crashes.
If any compromise is detected, factory reset the appliance and reinstall the patched software.
Ivanti also confirmed that its ICT tool successfully identified compromise in a small number of cases involving older, unsupported versions like ICS 9.X and 22.7R2.5.
A Message from Ivanti
Ivanti’s Chief Security Officer, Daniel Spicer, emphasized the ongoing risks facing network security appliances:
“Network security and edge devices are prime targets for sophisticated threat actors. We are working closely with Mandiant and other partners to provide all necessary information to help organizations stay secure. Customers running supported versions and following Ivanti’s guidance are at significantly reduced risk.”
Final Thoughts
This incident highlights the critical importance of keeping security appliances updated, especially those sitting at the network edge. With state-sponsored threat groups like UNC5221 actively exploiting zero-days, organizations need to stay ahead by applying patches, monitoring logs, and hardening configurations.
Stay informed, patch regularly, and consider implementing zero trust security models to reduce exposure. The CVE-2025-22457 flaw may be fixed, but the threat landscape remains active — and relentless.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Supply Chain Breach, SpotBugs PAT Theft Triggers GitHub Malware Spread