Editorial note: this article has been updated to include a statement from Ivanti and additional context on the security vulnerability.
A previously unknown remote code execution vulnerability in the Ivanti Connect Secure VPN platform is being actively exploited in the wild by Chinese threat actors, prompting alerts from Google’s Mandiant team.
The vulnerability, designated CVE-2025-22457, allows the attacker to take complete control over the target appliance, potentially allowing for further attacks within the network.
Mandiant said that while there is a patch available for the flaw (22.7R2.6) there have also been in-the-wild exploits of the flaw deployed since at least Mid-March. Administrators are being strongly encouraged to update their firmware as soon as possible.
For those who are concerned of a possible attack, the Mandiant team has posted indicators of compromise and Yara rules.
Ivanti issued a statement explaining the issue and instructions for administrators to resolve the issue.
“Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments. To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability," Ivanti said.
"Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”
The attacks have been attributed to a state-backed Chinese threat actor known as UNC5221. The group has been active since 2023 and has gained a reputation for targeting zero-day vulnerabilities.
To call the flaw a true “zero-day” threat is a bit of a misnomer. Mandiant said that the bug had been previously known as a buffer overflow and patched back in February. At the time, however, it was believed that the buffer overflow allowed for only a limited number of characters, meaning an attacker would not be able to use it for code execution.
Unfortunately, UNC5221 has proven that to be false, and what was once considered to be a low-priority patch deployment is now being seen as a critical update.
Mandiant researchers John Wolfram, Michael Edie, Jacob Thompson, Matt Lin and Josh Murchie said this is also a worrying development for network defenders as it shows the UNC5221 group has also begun broadening its horizons.
“This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws,” the researchers explained.
In addition to a new exploit, the Chinese group is also sporting a pair of new malware tools in their arsenal. The researchers spotted a new in-memory malware dropper known as TRAILBLAZE and a backdoor known as BRUSHFIRE. Both samples are said to be designed for stealth and prolonged espionage operations.
Additionally, the group employs a known malware bundle called SPAWN that was already associated with UNC5221 and other Chinese state-sponsored espionage attacks.
The Mandiant team warned that these new stealthy malware samples combined with the expanded exploit toolkit should put organizations on notice and prompt renewed vigilance.
“This activity aligns with the broader strategy Google Threat Intelligence Group has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure.”
