China-Linked UNC5221 Exploits Ivanti Connect Secure Zero-Day Vulnerability Since Mid-March 2025

TL;DR

The China-linked group UNC5221 has been exploiting a critical zero-day vulnerability in Ivanti Connect Secure since mid-March 2025. This vulnerability, tracked as CVE-2025-22457, allows for remote code execution and has been addressed by Ivanti through security updates. Administrators are urged to apply the latest patches and monitor their systems for any signs of compromise.

Main Content

Critical Remote Code Execution Flaw in Ivanti Connect Secure Exploited Since Mid-March 2025

Ivanti recently released security updates to address a critical remote code execution vulnerability in Connect Secure, tracked as CVE-2025-22457. This vulnerability has been actively exploited by a China-linked threat actor, UNC5221, since at least mid-March 2025¹.

Vulnerability Details and Impact

The vulnerability is a stack-based buffer overflow that allows for remote unauthenticated code execution. It affects the following versions of Ivanti software:

• Ivanti Connect Secure (version 22.7R2.5 and earlier)
• Pulse Connect Secure 9.x (end-of-support as of December 31, 2024)
• Ivanti Policy Secure
• ZTA gateways

Ivanti addressed the vulnerability with the release of Connect Secure 22.7R2.6 on February 11, 2025.

Exploitation and Mitigation

Ivanti has acknowledged that a limited number of customers using vulnerable versions of Connect Secure and Pulse Connect Secure have been exploited. The company’s advisory states:

“We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 and earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service. However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”

Ivanti will release security patches for ZTA and Policy Secure gateways on April 19 and 21. Administrators are advised to monitor Integrity Checker Tool (ICT) logs for web server crashes and reset compromised devices before redeploying them with version 22.7R2.6.

Threat Actor UNC5221 and Malware Deployment

According to Google’s Threat Analysis Group (TAG), the threat actor UNC5221 has been exploiting this vulnerability since March 2025 to deploy various malware, including TRAILBLAZE, BRUSHFIRE, and SPAWN².

Google TAG reports:

“Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.”

Conclusion

The exploitation of the Ivanti Connect Secure vulnerability by UNC5221 highlights the importance of timely security updates and vigilant monitoring. Administrators should prioritize applying the latest patches and ensure their systems are protected against such threats.

Additional Resources

For further insights, check:

• Ivanti Security Advisory
• Google TAG Report

References

1. (2025). “Ivanti Releases Security Updates for Critical Vulnerability”. National Vulnerability Database. Retrieved 2025-04-03. ↩︎

2. Google Threat Analysis Group (2025). “China-Nexus Exploiting Critical Ivanti Vulnerability”. Google Cloud. Retrieved 2025-04-03. ↩︎