hina-Linked Threat Group UNC5221 Exploits Ivanti Vulnerability CVE-2025-22457 for Remote Code Execution and Malware Deployment in Enterprise Networks

Ivanti initially patched the CVE-2025-22457 vulnerability in February 2025 and labeled it as low risk. The flaw, a buffer overflow, was believed to only accept limited character input (periods and numbers), leading experts to think it could only enable a minor denial-of-service (DoS) attack.

However, by April 3, 2025, Ivanti revised this evaluation. New intelligence revealed that the vulnerability is, in fact, exploitable through advanced techniques, making remote code execution possible. As a result, Ivanti updated the flaw’s rating to a critical severity score of 9/10 on the CVSS scale.

Affected versions include:

• Ivanti Connect Secure 22.7R2.5 and earlier

• Ivanti Policy Secure

• Ivanti ZTA gateways

• Pulse Connect Secure 9.x (support ended on December 31, 2024)

Who Is Exploiting the Vulnerability?

The group exploiting the flaw has been identified as UNC5221, a China-nexus cyber-espionage actor. This group is known for targeting critical infrastructure and enterprise systems using zero-day vulnerabilities.

According to a joint investigation by Ivanti and Mandiant, UNC5221 began exploiting the vulnerability shortly after the February patch was released. By analyzing the differences between vulnerable and patched versions, the group discovered a way to weaponize the buffer overflow for remote code execution.

What Malware Is Being Dropped?

Mandiant observed UNC5221 deploying two new malware families on compromised systems:

• Trailblaze – a stealthy, in-memory dropper that loads the second malware

• Brushfire – a passive backdoor that enables persistent access

In addition to these, the group has also used familiar tools from past campaigns:

• Spawnsloth – a log tampering tool

• Spawnsnare – an encryption utility

• Spawnant – a malware installer

These tools are used to maintain access, move laterally, and exfiltrate data while avoiding detection.

Ivanti’s Response and Recommendations

Ivanti urges all organizations using affected products to take the following steps immediately:

• Upgrade to version 22.7R2.6 of Connect Secure, released in February.

• Factory reset compromised appliances and reconfigure them from scratch using the updated version.

• Migrate from Pulse Connect Secure 9.x, which is no longer supported.

• Apply new patches for Policy Secure on April 21 and for ZTA Gateways on April 19.

The Bigger Picture: Why Attackers Target Edge Devices

Attacks like this reflect a broader trend in cyber threats. VPNs, firewalls, and edge devices often serve as privileged entry points into corporate networks. When attackers gain access to these devices, they can:

• Bypass traditional security defenses

• Establish persistent backdoors

• Move laterally across networks

• Launch wider ransomware or espionage campaigns

UNC5221 has repeatedly targeted Ivanti products, exploiting multiple zero-days:

• CVE-2025-0282 and CVE-2025-0283 in Connect Secure VPNs (disclosed in January 2025)

• CVE-2023-46805 and CVE-2024-21887 in earlier campaigns

The US Cybersecurity and Infrastructure Security Agency (CISA) also issued a warning about one of these vulnerabilities being used to deploy a malware named Resurge.

Conclusion

This case is a reminder that patching isn't just routine—it’s mission critical. Even flaws initially rated as low risk can become devastating if ignored. Organizations using Ivanti products must act quickly to patch vulnerable systems, check for signs of compromise, and implement better monitoring across edge devices. The exploitation of CVE-2025-22457 demonstrates how persistent, nation-state actors can weaponize even obscure vulnerabilities when given the opportunity.

FAQs

What is CVE-2025-22457?

CVE-2025-22457 is a buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateway products that allows attackers to execute arbitrary code remotely.

Who is UNC5221?

UNC5221 is a China-linked advanced persistent threat (APT) group known for cyber-espionage campaigns targeting edge network devices.

How serious is the CVE-2025-22457 vulnerability?

Ivanti has upgraded its severity rating to 9/10 on the CVSS scale, marking it as a critical vulnerability due to its remote code execution capabilities.

What products are affected by this Ivanti vulnerability?

Ivanti Connect Secure (versions 22.7R2.5 and earlier), Policy Secure, ZTA Gateways, and Pulse Connect Secure 9.x are affected.

Was this vulnerability being actively exploited?

Yes, Mandiant and Ivanti have confirmed that UNC5221 began exploiting the flaw soon after the initial patch was released.

What malware is being used in this campaign?

UNC5221 has deployed new malware families—Trailblaze (a dropper) and Brushfire (a backdoor), along with older tools like Spawnsloth, Spawnsnare, and Spawnant.

What is Trailblaze malware?

Trailblaze is an in-memory dropper that executes malicious payloads without leaving persistent files on disk.

What does Brushfire do?

Brushfire is a passive backdoor that enables long-term unauthorized access to a compromised system.

How did attackers bypass the initial risk assessment?

They reverse-engineered the patch and found a sophisticated way to bypass character restrictions in the buffer to achieve code execution.

What is Ivanti’s recommendation to users?

Ivanti urges users to upgrade to version 22.7R2.6, factory reset compromised systems, and apply upcoming patches for Policy Secure and ZTA Gateway.

Is Pulse Connect Secure still supported?

No, support for Pulse Connect Secure 9.x ended on December 31, 2024, and affected users should migrate immediately.

When are patches for other Ivanti products being released?

Ivanti will patch Policy Secure on April 21 and automatically patch ZTA Gateways on April 19.

Has CISA issued any warnings related to this vulnerability?

Yes, CISA has warned about active exploitation of Ivanti vulnerabilities in recent advisories.

What was the original risk level of the flaw?

Initially, Ivanti labeled the buffer overflow as low risk, assuming it couldn't be exploited for RCE.

How did Mandiant discover the malware activity?

Through forensic analysis of compromised systems and close collaboration with Ivanti.

Why are edge devices like VPNs being targeted?

They often have high privileges and access to internal networks, making them valuable entry points for attackers.

What other Ivanti vulnerabilities has UNC5221 exploited in the past?

They exploited CVE-2025-0282, CVE-2025-0283, CVE-2023-46805, and CVE-2024-21887 in previous campaigns.

What is Spawnsloth?

Spawnsloth is a log-tampering tool used to hide traces of the attack on compromised systems.

What is Spawnsnare?

Spawnsnare is an encryption tool deployed by UNC5221 to obfuscate payloads or lock systems.

What is Spawnant used for?

Spawnant is an installer used to deploy other malicious payloads on the system.

Can this vulnerability lead to lateral movement?

Yes, once attackers gain a foothold, they can move laterally across the network to access more sensitive systems.

What is remote code execution (RCE)?

RCE is a type of attack where the threat actor can run arbitrary commands on a remote system.

Is Ivanti responsible for underestimating the vulnerability?

Ivanti’s original assessment underestimated the exploitability, but they have since issued corrections and patches.

Should organizations factory reset compromised appliances?

Yes, Ivanti recommends a factory reset followed by a clean deployment using the patched version.

Can antivirus detect these malware families?

Traditional antivirus tools may miss these threats due to their stealthy, in-memory nature.

How can organizations monitor for exploitation?

They should monitor unusual activity, use endpoint detection and response (EDR) tools, and apply the latest threat intelligence.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities.

What does this incident reveal about patch management?

It highlights the importance of timely patching and not underestimating vulnerabilities based on initial assumptions.

Why is it important to update to supported Ivanti versions?

Unsupported versions are not eligible for security updates and are more vulnerable to known exploits.

Is this an isolated attack?

No, it is part of a broader campaign of edge-device exploitation by advanced nation-state actors.