A previously unknown remote code execution vulnerability in the Ivanti Connect Secure VPN platform is being actively exploited in the wild by Chinese threat actors, prompting alerts from Google’s Mandiant team.The vulnerability, designated CVE-2025-22457, allows the attacker to take complete control over the target appliance, potentially allowing for further attacks within the network.Mandiant said that while there is a patch available for the flaw (22.7R2.6) there have also been in-the-wild exploits of the flaw deployed since at least Mid-March. Administrators are being strongly encouraged to update their firmware as soon as possible.For those who are concerned of a possible attack, the Mandiant team has posted indicators of compromise and Yara rules.The attacks have been attributed to a state-backed Chinese threat actor known as UNC5221. The group has been active since 2023 and has gained a reputation for targeting zero-day vulnerabilities.To call the flaw a true “zero-day” threat is a bit of a misnomer. Mandiant said that the bug had been previously known as a buffer overflow and patched back in February. At the time, however, it was believed that the buffer overflow allowed for only a limited number of characters, meaning an attacker would not be able to use it for code execution.Unfortunately, UNC5221 has proven that to be false, and what was once considered to be a low-priority patch deployment is now being seen as a critical update.Mandiant researchers John Wolfram, Michael Edie, Jacob Thompson, Matt Lin and Josh Murchie said this is also a worrying development for network defenders as it shows the UNC5221 group has also begun broadening its horizons.“This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws,” the researchers explained.In addition to a new exploit, the Chinese group is also sporting a pair of new malware tools in their arsenal. The researchers spotted a new in-memory malware dropper known as TRAILBLAZE and a backdoor known as BRUSHFIRE. Both samples are said to be designed for stealth and prolonged espionage operations.Additionally, the group employs a known malware bundle called SPAWN that was already associated with UNC5221 and other Chinese state-sponsored espionage attacks.The Mandiant team warned that these new stealthy malware samples combined with the expanded exploit toolkit should put organizations on notice and prompt renewed vigilance.“This activity aligns with the broader strategy Google Threat Intelligence Group has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure.”