Context
Ivanti has disclosed a critical vulnerability, CVE-2025-22457 (CVSS 9.0), affecting multiple product lines including Connect Secure, Policy Secure, and ZTA Gateways. The flaw, a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code, and has been actively exploited in the wild. Google’s Mandiant team identified threat activity tied to UNC5221, a China-nexus group, which used this vulnerability to deliver malware including TRAILBLAZE, BRUSHFIRE, and the SPAWN variants, which enable persistent access, credential theft, and data exfiltration.
Community Impact
Retail and hospitality organizations often rely on Ivanti Connect Secure for secure remote access, making them susceptible to this critical vulnerability if unpatched. Exploitation could lead to data theft, business disruption, and unauthorized access to internal systems. As such, Core Members are advised to maintain situational awareness around the threat and to review the intelligence included here.
Technical Details
The vulnerability has been exploited by UNC5221, which injected stealthy malware directly into memory using sophisticated dropper techniques, bypassing traditional defenses. Mandiant attributes this activity to a China-nexus threat cluster with historical links to APT27 and Silk Typhoon, known for exploiting edge devices. The deployment of custom malware like SPAWNSLOTH and SPAWNSNARE illustrates a high level of technical capability aimed at avoiding detection and persisting within networks. Notably, this incident marks UNC5221’s first known N-day exploitation, suggesting a growing proficiency in weaponizing patched vulnerabilities. Their obfuscation tactics, including use of compromised appliances for proxying attacks, further complicate attribution and response.
“These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever”, Mandiant further stated in a press release.
