A China-aligned cyber-espionage group is actively exploiting a previously Critical Ivanti flaw secure access technologies, according to new research. The attackers are using the flaw to infiltrate enterprise networks and drop two never-before-seen malware families on compromised systems. Prompting urgent warnings for organizations to upgrade and secure affected devices.
The exploited vulnerability—now tracked as CVE-2025-22457—was initially disclosed and patched by Ivanti in February. At the time, it was considered a low-risk buffer overflow bug. But that evaluation has dramatically changed. On April 3, Ivanti issued a new advisory, upgrading the flaw’s severity to “critical,” with a CVSS score of 9.0. The company now confirms that the vulnerability is being used in active attacks to execute arbitrary code on Ivanti Connect Secure, Policy Secure, and ZTA gateway products.
According to Ivanti, initial testing concluded the buffer overflow could not be leveraged for remote code execution (RCE) due to character restrictions. It only accepted periods and numbers. But attackers proved otherwise. Security analysts from Mandiant, who partnered with Ivanti to investigate the breach. Discovered the sophisticated method used to exploit the bug. The attackers managed to bypass the limitations and turn the vulnerability into a reliable RCE exploit. Likely by analyzing code differences between the patched and unpatched versions.
Mandiant has attributed the campaign to a threat actor it tracks as UNC5221. A group believed to be operating out of China. The group began exploiting the flaw almost immediately after Ivanti’s February patch was released. Once inside the system, they dropped a two-stage malware payload: the first, dubbed Trailblaze, operates as an in-memory dropper; the second, Brushfire, is a passive backdoor that gives persistent access to the compromised environment.
UNC5221 also deployed several familiar tools from previous campaigns, including:
- Spawnsloth – a log-manipulating utility
- Spawnsnare – an encryption tool
- Spawnant – a malware installer used to further entrench their access
Ivanti confirmed that these attacks have impacted a limited number of customers using Connect Secure version 22.7R2.5 or earlier and Pulse Connect Secure 9.1x, which officially reached end-of-life in December 2024. While there is no evidence yet that Policy Secure or ZTA products have been exploited. Ivanti warns that those platforms remain potentially vulnerable and should be patched as a precaution.
Urgent Mitigation Required
Organizations using affected versions of Ivanti Connect Secure are urged to immediately upgrade to version 22.7R2.6, released earlier this year. If a device shows signs of compromise, Ivanti recommends performing a full factory reset before re-deploying the upgraded firmware.
Patches for Ivanti Policy Secure are expected by April 21, while a fix for Ivanti ZTA gateways is set to roll out automatically by April 19. Companies still running Pulse Connect Secure 9.1x are strongly advised to migrate to supported alternatives without delay, as those devices are no longer receiving security updates.
This is not the first time UNC5221 has targeted Ivanti technologies. Earlier in 2025, Mandiant identified the same group exploiting two Ivanti zero-days—CVE-2025-0282 and CVE-2025-0283—to breach Connect Secure VPNs. One of those flaws is still being actively used to distribute malware dubbed Resurge, according to a recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
In 2024, UNC5221 also exploited two more Ivanti zero-days—CVE-2023-46805 and CVE-2024-21887—to install custom web shells and maintain long-term access in enterprise networks.
UNC5221’s repeated focus on Ivanti’s secure access products highlights a growing trend among advanced persistent threat (APT) groups: targeting edge devices like VPNs, firewalls, and network gateways. These systems often operate with elevated privileges and sit at critical network chokepoints, making them valuable assets for attackers seeking to evade detection and move laterally within organizations.
Once compromised, these devices can be used to deploy additional payloads, exfiltrate data, and even disable internal security tools. This latest campaign is a reminder that even vulnerabilities previously deemed “low risk” can be weaponized under the right circumstances, especially when exploited by highly skilled actors.
As Matt Lin, senior consultant at Mandiant, puts it: “This should be a wake-up call. The initial assumption was that this vulnerability was too limited to be dangerous. But with time, attackers found a way to weaponize it—and they will do it again.”
