Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Exploitation of the newly disclosed remote code execution bug CVE-2025-22457 may have been occurring since mid-March.
Just a day after software firm Ivanti disclosed a critical vulnerability in several of its gateway products, the Mandiant Incident Response team has revealed that hackers – most likely with links to China – have been exploiting the bug to deploy two newly discovered forms of malware.
Ivanti disclosed CVE-2025-22457 on 3 April, explaining that a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways could lead to remote code execution.
“This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug,” Ivanti said in its advisory.
However, Ivanti said it was aware that customers were continuing to use Pulse Connect Secure 9.1x, which went end-of-life in December 2024, and that these devices were being actively exploited.
“At the time of disclosure, we are not aware of any exploitation of Policy Secure or ZTA gateways, which have meaningfully reduced risk from this vulnerability,” Ivanti said.
The following product versions are currently vulnerable:
Mandiant’s 4 April update goes into more detail on the nature of the exploitation, which it believes is being carried out by Chinese advanced persistent threat UNC5221.
“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Charles Carmakal, Mandiant Consulting’s chief technology officer, said in a 4 April statement.
“These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever.”
The two new malware that Mandiant has observed are being tracked as Trailblaze and Brushfire, which are being used alongside the Spawn malware family.
Trailblaze is a small in-memory dropper designed to fit within a shell script in Base64. Its function is to inject the Brushfire backdoor, which is capable of running further malicious shellcode.
SpawnSloth can disable local and remote logging, while SpawnSnare can extract an uncompressed Linux kernel image before encrypting it.
The Google Threat Intelligence Group has observed UNC5221 targeting similar vulnerabilities in the past, and its tooling matches that observed in the current campaign.
“GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo,” Mandiant said in a blog post.
“Additionally, as noted in our prior blog post detailing CVE-2025-0282 exploitation, GTIG has observed UNC5221 leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations.”
According to cyber security firm Rapid7, Ivanti customers “should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur”.
“Ivanti’s advisory notes that ‘Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.’ Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results,” Rapid7 said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
