Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.

Tracked as CVE-2025-22457, this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.

According to Ivanti’s advisory, remote threat actors can exploit it in high-complexity attacks that don’t require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Ivanti Connect Secure 22.7R2.6 after initially tagging it as a product bug.

“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” Ivanti said on Thursday.

“However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”

While security patches for ZTA and Ivanti Policy Secure gateways are still in development and will be released on April 19 and April 21, respectively, Ivanti said that it’s “not aware of any exploitation” targeting these gateways, which also have what “meaningfully reduced risk from this vulnerability.”

Ivanti also advised admins to monitor their external Integrity Checker Tool (ICT) and look for web server crashes. If any signs of compromise are discovered, admins should factory reset impacted appliances and put them back in production using software version 22.7R2.6.

Attacks linked to UNC5221 Chinese-nexus cyberspies

While Ivanti has yet to disclose more details regarding CVE-2025-22457 attacks, Mandiant and Google Threat Intelligence Group (GTIG) security researchers revealed today that a suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since at least mid-March 2025.

“Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed,” Mandiant said.

“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.”

UNC5221 is known for targeting zero-day vulnerabilities in network edge devices since 2023, including various Ivanti and NetScaler appliances. Most recently, the Chinese hackers exploited CVE-2025-0282, another Ivanti Connect Secure buffer overflow, to drop new Dryhook and Phasejam malware on compromised VPN appliances.

One year ago, the hacking group also chained two Connect Secure and Policy Secure zero-days (CVE-2023-46805 and CVE-2024-21887) to remotely execute arbitrary commands on targeted ICS VPN and IPS network access control (NAC) appliances. One of their victims was the MITRE Corporation, which disclosed the breach in April 2024.

​Threat intelligence company Volexity said in January 2024 that UNC5221 had backdoored over 2,100 Ivanti appliances using the GIFTEDVISITOR webshell in attacks chaining the two zero days.

As CISA and the FBI warned in January 2025, attackers are still breaching vulnerable networks using exploits targeting Ivanti Cloud Service Appliances (CSA) security vulnerabilities patched since September.

Multiple other Ivanti security flaws have been exploited as zero-days over the last year in widespread attacks against the company’s VPN appliances and ICS, IPS, and ZTA gateways.