A critical security vulnerability within Ivanti’s Connect Secure product has been actively exploited in the wild to deploy sophisticated malware, specifically TRAILBLAZE and BRUSHFIRE. Ivanti, a prominent provider of IT security solutions, revealed details of this now-patched flaw, which has raised significant cybersecurity concerns due to its high severity and active exploitation by sophisticated threat actors.
The Vulnerability
CVE-2025-22457 Explained
At the heart of this issue is the vulnerability tracked as CVE-2025-22457, which carries a CVSS score of 9.0, indicating its critical nature. This vulnerability is described as a stack-based buffer overflow that can be exploited to execute arbitrary code on affected systems. Essentially, a remote unauthenticated attacker could leverage this flaw to gain complete control over vulnerable devices, leading to potential breaches of sensitive information and further network infiltrations. This critical vulnerability underscores the importance of maintaining up-to-date security measures and applying patches promptly to prevent such exploits.The severity of CVE-2025-22457 cannot be overstated. A stack-based buffer overflow enables attackers to manipulate the flow of an application by injecting malicious code into the stack. Such an exploit allows hackers to execute arbitrary code with the privileges of the affected software, posing a severe threat to system integrity and data confidentiality. Given the ease with which cybercriminals can exploit such vulnerabilities, organizations must remain vigilant and prioritize timely updates to safeguard their digital assets and sensitive information.
Affected Products and Versions
The impacted products and versions include Ivanti Connect Secure (versions 22.7R2.5 and prior, patched in version 22.7R2.6), Pulse Connect Secure (versions 9.1R18.9 and prior, patched in version 22.7R2.6 with migration assistance since it is end-of-support), Ivanti Policy Secure (versions 22.7R1.3 and prior, to be patched in version 22.7R1.4 available from April 21), and ZTA Gateways (versions 22.8R2 and prior, to be patched in version 22.8R2.2 available from April 19). Each of these versions is susceptible to the described exploits, making the patching process critical for maintaining network security.The company has acknowledged that a limited number of Connect Secure and end-of-support Pulse Connect Secure appliances have been specifically targeted and exploited. However, there is no current evidence of similar exploitation occurring with Policy Secure or ZTA Gateways. Ivanti advises customers to monitor their external ICT and web servers for signs of compromise. If any signs of compromise are detected, a factory reset should be performed, followed by updating to the latest patched versions. These measures aim to mitigate the risk posed by these security flaws and minimize potential damage from cyberattacks.
Exploitation in the Wild
Malicious Deployments
Google-owned Mandiant has provided additional insight into the exploitation of CVE-2025-22457, noting that they observed active exploitation in mid-March 2025.The exploitation involved a multi-stage shell script dropper that facilitated the deployment of TRAILBLAZE, an in-memory dropper, which then injected the passive backdoor BRUSHFIRE directly into the memory of a running web process. This method is designed to evade detection and establish persistent backdoor access on compromised appliances, which could lead to credential theft, further network intrusions, and data exfiltration.
The sophisticated deployment technique involving TRAILBLAZE and BRUSHFIRE illustrates the advanced nature of these cyberattacks.TRAILBLAZE serves as an in-memory dropper, enabling the injection of BRUSHFIRE backdoor without leaving traces on the storage, thereby evading conventional detection methods. Once implanted, BRUSHFIRE allows for ongoing access and control over the affected systems, posing significant risks to the integrity and confidentiality of data within compromised networks. This highlights the need for robust security measures, including frequent integrity checks and advanced intrusion detection systems.
UNC5221 and the SPAWN Suite
The threat actor behind these attacks, identified as UNC5221, has a history of exploiting zero-day vulnerabilities in Ivanti Connect Secure devices and is believed to be China-nexus based. This group, among other clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886, has been connected to advanced persistent threats (APTs) like APT27, Silk Typhoon, and UTA0178 by U.S. governmental assessments. However, Mandiant does not independently confirm these links due to a lack of direct evidence.
UNC5221 has been known to engage in sophisticated cyber-operations, which include the zero-day exploitation of vulnerabilities like CVE-2023-4966 affecting Citrix NetScaler devices.They have utilized an obfuscation network of compromised devices, such as Cyberoam appliances, QNAP devices, and ASUS routers, to cover their tracks during intrusion operations. This was recently highlighted by Microsoft in detailing Silk Typhoon’s latest tactics. The SPAWN malware suite, which is part of these sophisticated attacks, includes several components:
Response and Mitigation
Urgent Advisories
In response to the growing threat and active exploitation efforts, Ivanti and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent advisories. They recommend immediate updates to patched versions, factory resets for compromised devices, and increased monitoring of external ICT and web servers for signs of exploitation. Ensuring a vigilant security posture is essential to mitigate the risks posed by sophisticated threat actors exploiting these vulnerabilities.
CISA’s addition of CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) catalog on April 4, 2025, mandates federal agencies to apply the fixes by April 11, 2025, to safeguard against these exploitation activities.CISA also recommends performing a factory reset on compromised devices, isolating and disconnecting affected instances from the network, and rotating passwords to ensure maximum protection. These steps are crucial for containing the threat and preventing future incidents involving similar security vulnerabilities.
Federal Mandates
The inclusion of CVE-2025-22457 in CISA’s Known Exploited Vulnerabilities catalog highlights the severe risk posed by this vulnerability and the necessity for immediate corrective actions. Federal agencies are required to apply the mandated security fixes by April 11, 2025. Additionally, measures such as device isolation, disconnection from the network, and password rotation are strongly advised to mitigate potential breaches and protect against ongoing exploitation attempts.
Industry experts emphasize the importance of independent vulnerability analysis and review to make informed risk decisions.Vigilance, timely updates, and comprehensive security measures are paramount in defending against sophisticated cyber threats like those posed by UNC5221. The evolving nature of these threats necessitates continuous adaptation and improvement in cybersecurity strategies to mitigate potential attacks and safeguard critical infrastructure. These proactive measures are essential for maintaining robust cybersecurity defenses in the face of ever-evolving threats.
Broader Implications
Evolution of Threat Actor Techniques
The strategy adopted by these threat actors involves analyzing patches released by companies like Ivanti to identify ways to exploit unpatched, older versions of software to execute remote code. This reinforces the need for timely updates and security patches. This incident marks UNC5221’s first recognized use of an N-day (known) vulnerability in Ivanti devices, indicating a possible evolution in their exploitation methods. The exploitation of N-day vulnerabilities signifies a shift in tactics, emphasizing the importance of staying ahead of threat actors by promptly applying security patches and updates.
UNC5221’s engagement in sophisticated cyber-operations has demonstrated their capacity to exploit both zero-day and N-day vulnerabilities.The use of an obfuscation network comprising compromised devices further complicates efforts to trace and mitigate their activities. This highlights the necessity for a multi-layered cybersecurity approach, encompassing timely patch management, advanced threat detection mechanisms, and a comprehensive understanding of emerging threat actor techniques. Adopting such measures is critical for effectively countering advanced cyber threats and minimizing potential risks.
Continued Targeting of Edge Devices
Ivanti’s Connect Secure product recently faced a critical security vulnerability that has been actively exploited to spread advanced malware, such as TRAILBLAZE and BRUSHFIRE. Ivanti, widely recognized for its IT security solutions, disclosed the details of this vulnerability, leading to significant alarm within the cybersecurity community. The flaw, now patched, was notable for its high severity and the fact that it was being leveraged by highly sophisticated threat actors.This security breach highlights the continuous battle between IT security measures and malicious entities. Ivanti’s prompt response and patching reflect their commitment to safeguarding users, but the incident underscores the ever-present risks within cybersecurity. Organizations using Connect Secure must ensure they apply patches immediately and continuously review their security protocols to fend off potential threats. This incident serves as a stark reminder for all entities to remain vigilant and proactive in their cybersecurity practices to protect against increasingly sophisticated cyberattacks.