Zero-day vulnerability in Ivanti Connect Secure exploited for weeks

Ivanti is reporting that a suspected Chinese state-sponsored threat actor, tracked as UNC5221, has been exploiting a zero-day vulnerability in its Connect Secure VPN solution since mid-March 2025.

The vulnerability, designated CVE-2025-22457, is a stack-based overflow weakness that was initially mistaken for a harmless bug, but further investigation revealed it could allow unauthenticated remote threat actors to execute code on affected systems.

CVE-2025-22457 impacts:

• Ivanti Connect Secure versions prior to 22.7R2.6
• Ivanti Policy Secure versions prior to 22.7R2.6
• Ivanti Neurons for ZTA is also impacted, though specific version numbers were not provided

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

UNC5221 was observed exploiting CVE-2025-22457 to deploy its TRAILBLAZE dropper and BRUSHFIRE backdoor, enabling long-term espionage on targeted systems.

Ivanti released the fix in Connect Secure version 22.7R2.6 on April 1, 2025, and stated that updates for Policy Secure and ZTA gateways will be made available later in April. Until then, affected users are urged to monitor systems closely and use the Integrity Checker Tool to detect signs of compromise.

Source: Bleeping Computer

Analysis

UNC5221 is a cyber-espionage group linked to China, known for targeting vulnerabilities in edge network devices, particularly VPN appliances. Active since at least 2023, they have exploited multiple zero-day vulnerabilities in Ivanti products, including CVE-2023-46805, CVE-2024-21887, CVE-2025-0282, and CVE-2025-0283.

Their operations often involve deploying custom malware, such as the TRAILBLAZE dropper and the BRUSHFIRE backdoor, to maintain persistent access and evade detection. UNC5221's consistent focus on edge devices underscores their strategic objective of infiltrating enterprise networks through critical infrastructure components.

Ivanti Connect Secure is no stranger to zero-day vulnerabilities targeted by nation-state actors to deploy various custom malware strains. For example, in January 2025, Ivanti reported that threat actors were observed exploiting a zero-day Connect Secure vulnerability discovered when Ivanti’s Integrity Checker Tool (ICT) detected malicious activity on customer appliances. The vulnerability, later designated CVE-2025-0282 and rated critical, was another stack-based buffer overflow bug that could allow a remote, unauthenticated threat actor to execute code on the device.

The exploitation of critical vulnerabilities, many as zero-days, in Ivanti products led the company to implement a rigorous code review regime which it credited for proactively discovering multiple vulnerabilities. The company also released an enhanced version of its external ICT to provide additional visibility and protection for customers against evolving threat actor techniques related to previously disclosed vulnerabilities.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti Connect Secure. Field Effect MDR users are automatically notified if a vulnerable or end-of-life version of Connect Secure is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect strongly recommends users of affected Connect Secure appliances to run Ivanti’s ICT to scan for signs of compromise and conduct a factory reset before updating to the latest version as soon as possible, in accordance with Ivanti’s advisory.

Related Articles

• Zero-day vulnerability in Ivanti Connect Secure actively exploited
• Critical vulnerability in Ivanti vTM now exploited
• Another critical vulnerability in Ivanti CSA exploited