Ivanti has revealed details of a critical security vulnerability currently patched affecting Connect Secure under active exploitation in the wild.
The vulnerability tracked as CVE-2025-22457 (CVSS score: 9.0) concerns a case of stack-based buffer overflow that can be exploited to execute arbitrary code on an affected system.
“Ivanti’s stack-based buffer overflow can securely connect before version 22.7R2.6, securely secure Ivanti policies before version 22.7R1.4, and use Ivanti ZTA Gateways before version 22.8R2.2, allowing remote, disapproved attackers to achieve remote code execution,” Ivanti announced Thursday.
Defects affect the following products and versions –
Ivanti Connect Secure (version 22.7R2.5 and PRIOR) – Fixed in version 22.7R2.6 (patch released on February 11, 2025). 22.7R1.3 and PRIOR) – Version 22.7R1.4 (available on April 21) ZTA Gateway (version 22.8R2 and previous) – Fixed in version 22.8R2.2 (available on April 19)
The company said it recognizes a “limited number of customers” that Connect Secure and Support Pulse Connect secure appliances are being abused. There is no evidence that Policy Secure or ZTA Gateways are subject to wild abuse.
“Customers need to monitor external ICTs and look for web server crashes,” Ivanti said. “If the ICT results show signs of compromise, you must perform a factory reset on the appliance and use version 22.7R2.6 to return the appliance to production.”
Here, Connect Secure version 22.7R2.6 also addresses multiple critical vulnerabilities (CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644) to allow remote certified attackers to create arbitrary files and execute arbitrary code.
Mandiant, owned by Google, observed evidence of CVE-2025-22457 exploitation in mid-March 2025, allowing threat actors to offer an in-memory dropper called Trailblaze, a passive backdoor codename, Brushfire, and Spawn Malware Suite.
Attack chains essentially use a multi-stage shell script dropper to perform precedent. This causes Brushfire to be injected directly into the memory of the running web process to avoid detection. Exploitation activities are designed to establish sustained backdoor access to compromised appliances, which could allow for credential theft, further network intrusion, and data removal.
The use of spawning is attributed to Chinese enemy enemies tracked as UNC5221, along with clusters such as UNC5266, UNC5291, UNC5325, UNC537, UNC5337, and UNC386, which have a history of exploiting zero-day defects in Ivanti Connect Secure (ICS) devices.
By US government, UNC5221 is evaluated to share overlap with threat groups such as APT27, Silk Typhoon, and UTA0178. However, the threat intelligence company told Hacker News there was no sufficient evidence to confirm the connection.
“Mandiant tracks UNC5221 as a cluster of activities that have repeatedly exploited edge devices with zero-day vulnerabilities,” said Dan Perez of China Mission Technical Lead, Google Threat Intelligence Group.
“The link between this cluster and the government-created APT27 is plausible, but there is no independent evidence to confirm. The Silk Typhoon is Microsoft’s name for this activity and we cannot talk about their belongings.”
It has also been observed that UNC5221 utilizes obfuscation networks of compromised cyberomic instruments, QNAP devices, and ASUS routers to mask the true source during the intrusion operation.
The company also theorized that it is likely that threat actors have analyzed the February patch released by Ivanti, and found ways to leverage previous versions to achieve remote code execution for systems that are less than 100%. The development is believed to be attributed to the exploitation of N-Day security flaws on IVANTI devices for the first time.
“This latest activity from UNC5221 highlights the ongoing targeting of global edge devices by China and Nexus spy groups,” said Charles Carmakal, CTO of Mandiant Consulting.
“These actors continue to study security vulnerabilities and develop custom malware for enterprise systems that do not support EDR solutions. China – The speed of cyber intrusion activities by news spyers continues to increase, and these actors are better than ever.”
Source link
