Ivanti Reveals Critical Security Vulnerability in Connect Secure, Active Exploitation Detected
Ivanti has recently announced a critical security vulnerability in its Connect Secure product, which has been the target of active exploitation in real-world scenarios. Labeled CVE-2025-22457, this vulnerability, with a CVSS score of 9.0, involves a stack-based buffer overflow that attackers can utilize to execute arbitrary code on affected systems.
According to Ivanti’s advisory, the flaw affects various versions of their products, including Ivanti Connect Secure (pre-22.7R2.6), Ivanti Policy Secure (pre-22.7R1.4), and Ivanti ZTA Gateways (pre-22.8R2.2). Remote, unauthenticated attackers can exploit this vulnerability, raising significant concerns for organizations utilizing these systems. The company confirmed that a small number of its clients had experienced compromises on Connect Secure and its end-of-support Pulse Connect Secure appliances. No evidence has yet suggested that Policy Secure or ZTA Gateways have been exploited in the wild.
Business users should be vigilant, as Ivanti has advised monitoring external ICT systems for web server crashes, which may indicate signs of compromise. Should any abnormalities be found, a factory reset of the appliance is recommended, followed by reinstating operations with the fixed version 22.7R2.6. This version also addresses additional critical vulnerabilities that could enable remote authenticated attackers to execute arbitrary code or manipulate files.
Recent intelligence from Mandiant indicates that exploitation of CVE-2025-22457 began in mid-March 2025. Initiating an attack, adversaries utilized a multifaceted shell script to deploy a backdoor known as TRAILBLAZE, which then installed a passive backdoor called BRUSHFIRE into the memory of the running web process, circumventing traditional detection measures. This technique highlights the substantial implications of compromised appliances, potentially allowing for credential theft and further system intrusion.
The malware ecosystem used, collectively referred to as SPAWN, encapsulates various methodologies enabling adversaries to tamper with log files and disable logging entirely, thereby facilitating covert operations. Tactics employed by attackers in this instance align with the MITRE ATT&CK framework, notably including initial access techniques that suggest a systematic approach to exploiting zero-day vulnerabilities in devices like Ivanti’s Connect Secure.
Attributing the attack to a Chinese adversary group, designated UNC5221, Mandiant noted that this actor has shown a pattern of exploiting zero-day vulnerabilities nationally. UNC5221 has previously exploited various Ivanti devices, highlighting a persistent threat landscape targeting edge devices globally. Analysts theorize that these adversaries meticulously analyzed Ivanti’s recently patched versions to exploit outdated systems, signifying an increasingly sophisticated attack vector that could threaten many organizations still operating on unsupported versions of these platforms.
On April 4, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recognized CVE-2025-22457 as a Known Exploited Vulnerability, mandating federal agencies to implement fixes by April 11, 2025, to curb active exploitation. CISA has also recommended taking preventive measures, such as conducting factory resets of impacted appliances, isolating compromised systems from the network, and promptly rotating passwords.
It is imperative that organizations maintain a proactive stance towards cybersecurity. As outlined by security experts, vigilance in analyzing vulnerabilities, evaluating exploitability, and implementing effective risk management strategies can play a critical role in safeguarding assets. This incident serves as a reminder of the continuous and evolving nature of cyber threats facing businesses today.
