Critical Ivanti VPN Vulnerability Exploited in the Wild by Suspected Espionage Group UNC5221

• A severe Ivanti Connect Secure VPN flaw is under active exploitation by a suspected China-nexus threat actor.
• Hackers deploy two newly identified malware families tracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper.
• The SPAWN malware family is also present, which was previously attributed to a suspected China-linked espionage group.

A critical security vulnerability, CVE-2025-22457, in Ivanti Connect Secure (ICS) VPN appliances running version 22.7R2.5 and earlier was revealed on Thursday, and security experts believe it is actively exploited by China-backed cyberespionage group UNC5221.

This buffer overflow vulnerability enables threat actors to achieve remote code execution if successfully exploited. Evidence of active exploitation against affected systems has already been identified, according to Ivanti and cybersecurity firm Mandiant.

Addressing the concerns related to security devices, Daniel Spicer, CSO at Ivanti shared his statement with TechNadu.

He wrote, "Network security devices and edge devices, in particular, are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments."

"To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability," Spicer added.

Further reassuring about the curbed risk, he stated, "Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk."

"Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions,” Spicer concluded.

Following successful attacks on ICS appliances, Mandiant reported the deployment of two newly identified malware families, TRAILBLAZE and BRUSHFIRE, along with the SPAWN malware ecosystem attributed to UNC5221, a suspected China-linked espionage group.

The latter has also been previously attributed to the UNC5337 threat actor. 

Google Threat Intelligence Group attributes this campaign to UNC5221, a suspected China-based espionage actor.  These actors have a history of using zero-day vulnerabilities in edge devices, with documented activity spanning several years.

Despite initial assessment marking CVE-2025-22457 as a low-risk denial-of-service flaw due to its limited character space in the buffer overflow, researchers now believe the attackers reverse-engineered Ivanti's patch released for version 22.7R2.6 in February 2025 to uncover an exploitation path enabling remote code execution (RCE).

Following exploitation, attackers delivered TRAILBLAZE, an in-memory dropper, and BRUSHFIRE, a passive backdoor, via a shell-script dropper.  

The Shell script dropper script directly executes TRAILBLAZE, injects BRUSHFIRE into specific processes, and removes temporary files to evade detection.  

A minimalistic in-memory dropper written in C, TRAILBLAZE avoids persistence and relies on raw syscalls for injection into running processes.  

BRUSHFIRE operates as a backdoor, leveraging its SSL_read function hook to decrypt and execute malicious shellcode sent by the attackers.

UNC5221 further utilized the SPAWN malware ecosystem for additional functionalities:

• SPAWNSLOTH disabled local and remote logging. 
• SPAWNSNARE extracted and encrypted Linux kernel images.
• SPAWNWAVE integrated and evolved capabilities of previous SPAWN malware to enhance functionality.

UNC5221 has leveraged multiple zero-day flaws in the past, including CVE-2025-0282, CVE-2023-46805, CVE-2024-21887, and CVE-2023-4966, to target critical infrastructure globally. 

Their tactics often involve exploiting edge appliances, using passive backdoors, and obfuscating operations via compromised network devices, including Cyberoam appliances, QNAP devices, and ASUS routers.

The vulnerability's exploitation was first observed in mid-March 2025. Ivanti has issued a patch for CVE-2025-22457 and strongly urges all customers to upgrade to ICS version 22.7R2.6 or later to mitigate the risks. 

This story has been updated with statements from Daniel Spicer, CSO at Ivanti.