Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances which was allegedly being abused in the wild by Chinese state-sponsored actors.
Researchers at Mandiant published a new security advisory stating Ivanti discovered and fixed a buffer overflow vulnerability in ICS 9.X (unsupported) and 22.7R2.5 and earlier versions. The vulnerability is tracked as CVE-2025-22457, and carries a severity score of 9.0/10 (critical).
At first, no one was aware of the bug’s disruptive potential, Mandiant explained, but later – evidence of remote code execution (RCE) attacks were discovered.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You’ll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Cyber-espionage
In these attacks, allegedly conducted by a threat actor tracked as UNC5221, two new malware variants were used: TRAILBLAZE, and BUSHFIRE.
The former is an in-memory only dropper, while the latter is a passive backdoor. Furthermore, the researchers saw cybercriminals dropping malware from the SPAWN ecosystem, as well.
UNC5221 is a known, China-nexus espionage actor that was observed, on multiple occasions, targeting vulnerable Ivanti instances. For example, in early January this year, Ivanti said it saw two flaws – CVE-2025-0282 and CVE-2025-0283 – being abused by this threat actor. Both were impacting Ivanti Connect Secure VPN appliances.
In these attacks, SPAWN variants were also used.
Mandiant says that this CVE was probably first used in mid-March 2025, a month after the patch was released.
“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the researchers said.
Ivanti has released fixes for the exploited vulnerabilities and its customers are advised to upgrade their endpoints without hesitation, since the flaws are being actively targeted.
You might also like
- Ivanti warns another critical security flaw is being attacked
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app