Suspected Chinese government spies have been exploiting a newly disclosed critical bug in Ivanti VPN appliances since mid-March. This is now at least the third time in three years these snoops have been pwning these products.
Plus, post-exploit, the Beijing-backed crew deployed on compromised Ivanti equipment two new malware strains along with variants of the Spawn software nasty, we're told.
Ivanti today detailed the under-attack 9.0-out-of-10-severity vulnerability, tracked as CVE-2025-22457, and said it affects Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31), Ivanti Policy Secure, and ZTA gateways.
The alert comes just days after the US government warned a new form of Spawn was being used in attacks exploiting an earlier Ivanti zero-day, this one tracked as CVE-2025-0282, in these same products.
The new critical bug, CVE-2025-22457, is a stack-based buffer overflow flaw that can lead to unauthenticated remote code execution (RCE); the vendor fixed this in Ivanti Connect Secure 22.7R2.6, released in February.
We don't have enough visibility at this time to provide an accurate estimate, but given how fast this threat actor operates, it's imperative that companies move quickly to patch to limit the impact
At the time, this CVE was believed to be a low-risk, denial-of-service bug. It turns out the vulnerability wasn't so low risk and could be exploited to achieve RCE, as UNC5221, a suspected Beijing-run espionage crew realized — and then got to work hijacking Ivanti hardware in the wild, as they have been doing since at least 2023.
Google Threat Intelligence Group (GTIG) "has previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, as well as the exploitation of CVE-2023-46805 and CVE-2024-21887," the web giant's Mandiant incident response team said on Thursday.
"Furthermore, GTIG has also previously observed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances," the threat hunters added.
Ivanti, in its advisory, said it is "aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure."
It also urged customers to update to a patched version and noted the end-of-support products no longer receive any code changes or updates. "Customers' only option is to migrate to a secure platform to ensure their security," the software maker warned.
The Register asked Ivanti how many customers have been compromised, and did not receive a response. According to its security alert, it is "not aware of any exploitation of Policy Secure or ZTA gateways" as of the disclosure.
We also asked Google's Mandiant team this same question, and the short answer is: It's too early to tell.
"We don't have enough visibility at this time to provide an accurate estimate, but given how fast this threat actor operates, it's imperative that companies move quickly to patch to limit the impact," Mandiant senior consultant Matt Lin told The Register.
At the same time Ivanti sounded the patch-or-migrate-now alarm, Mandiant published a threat intelligence report and blamed the exploitation on UNC5221.
They say they suspect that UNC5221 studied the February patch for Ivanti Connect Secure products "and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution."
Once the miscreants compromise organizations' buggy kit, UNC5221 deploys two newly identified malware families: Trailblaze and Brushfire. Both are executed via a shell script.
First, the script executes Trailblaze entirely in memory, which injects Brushfire, a passive backdoor, into a running /home/bin/web process. That gives the snoops the ability to remotely control the device.
In addition to the two new malware facilities, Mandiant also observed the intruders deploying a few versions of Spawn malware, which the threat hunters say UNC5221 has used in previous attacks against Ivanti devices.
"This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups," Mandiant Consulting CTO Charles Carmakal said in a statement emailed to The Register.
"These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don't support EDR solutions," he added. "The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever." ®