- Ivanti recently patched a critical severity flaw in Connect Secure VPN
- Mandiant says the bug is being used in the wild by Chinese actors
- Two new malware strains were discovered
Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances which was allegedly being abused in the wild by Chinese state-sponsored actors.
Researchers at Mandiant published a new security advisory stating Ivanti discovered and fixed a buffer overflow vulnerability in ICS 9.X (unsupported) and 22.7R2.5 and earlier versions. The vulnerability is tracked as CVE-2025-22457, and carries a severity score of 9.0/10 (critical).
At first, no one was aware of the bug’s disruptive potential, Mandiant explained, but later – evidence of remote code execution (RCE) attacks were discovered.
Cyber-espionage
In these attacks, allegedly conducted by a threat actor tracked as UNC5221, two new malware variants were used: TRAILBLAZE, and BUSHFIRE.
The former is an in-memory only dropper, while the latter is a passive backdoor. Furthermore, the researchers saw cybercriminals dropping malware from the SPAWN ecosystem, as well.
UNC5221 is a known, China-nexus espionage actor that was observed, on multiple occasions, targeting vulnerable Ivanti instances. For example, in early January this year, Ivanti said it saw two flaws – CVE-2025-0282 and CVE-2025-0283 – being abused by this threat actor. Both were impacting Ivanti Connect Secure VPN appliances.
In these attacks, SPAWN variants were also used.
Mandiant says that this CVE was probably first used in mid-March 2025, a month after the patch was released.
“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the researchers said.
Ivanti has released fixes for the exploited vulnerabilities and its customers are advised to upgrade their endpoints without hesitation, since the flaws are being actively targeted.
Leave a comment