A cyber-espionage group with suspected links to China is actively exploiting a critical vulnerability in Ivanti security products. The flaw, once considered low-risk, is now being used to deploy two new malware families for remote code execution. Security firm Mandiant attributes the attacks to a group known as UNC5221, urging Ivanti customers to apply patches immediately to protect their networks from this escalating threat.
A Low-Risk Flaw Turns into a Major Threat
When Ivanti first addressed the buffer overflow vulnerability, identified as CVE-2025-22457, in February, the company’s initial assessment gave customers little cause for concern. It was believed that the flaw’s limitations, which only allowed periods and numbers in the overflow, made it unusable for serious attacks like remote code execution.
That evaluation changed dramatically this month. Ivanti issued an updated advisory on April 3, confirming that the bug was not only exploitable but was being actively used in the wild. “We have now learned it is exploitable through sophisticated means and have identified evidence of active exploitation,” the company stated, completely reversing its earlier stance.
This situation highlights how threat actors can find creative ways to weaponize vulnerabilities that defenders initially overlook.
Who is UNC5221 and What are They Deploying?
Researchers at Google’s Mandiant have connected the attacks to UNC5221, a cyber-espionage group believed to be operating on behalf of China. This group is not new to targeting Ivanti products, having previously exploited other zero-day vulnerabilities in the company’s VPN appliances earlier this year.
After successfully exploiting CVE-2025-22457, UNC5221 deploys a fresh set of malicious tools to establish and maintain control over compromised systems. The new malware includes:
- Trailblaze: A stealthy, memory-resident dropper designed to load other malicious payloads onto the system without being easily detected.
- Brushfire: A sophisticated backdoor that provides the attackers with persistent access, allowing them to return to the network at will.
Alongside these new additions, the group continues to use its existing toolkit, which includes malware for tampering with logs and installing further components.
Affected Ivanti Products and Recommended Actions
The vulnerability impacts several widely used Ivanti products that serve as gateways to enterprise networks. While active exploitation has only been confirmed on Connect Secure, Ivanti recommends that all users of affected products take immediate action to protect themselves. The company has provided clear guidance on how to secure different systems.
| Product | Affected Versions | Recommended Action |
|---|---|---|
| Connect Secure | 22.7R2.5 and earlier | Upgrade to version 22.7R2.6 immediately. |
| Policy Secure | All current versions | Apply patch expected on April 21. |
| ZTA Gateways | All current versions | An automatic fix will be deployed on April 19. |
| Pulse Connect Secure | 9.x (Unsupported) | Migrate to a supported product immediately. |
How Attackers Weaponized the Seemingly Minor Bug
The initial belief that the vulnerability was minor stemmed from its apparent limitations. However, UNC5221 demonstrated a high level of sophistication by overcoming these obstacles. According to Mandiant researcher Matt Lin, the attackers likely achieved this by carefully examining the code changes in Ivanti’s February patch.
“Likely by studying the patch and differences in code… the threat actor figured out a sophisticated way to weaponize the vulnerability and achieve remote code execution,” Lin explained. This reverse-engineering of the patch allowed the group to develop a working exploit while the vulnerability was still officially rated as low severity.
Mandiant’s investigation revealed that UNC5221 had been exploiting the flaw for weeks before its true potential was publicly known, giving them a significant head start.
The Bigger Picture: Edge Devices as Prime Targets
This campaign is part of a larger trend where cyber-espionage groups focus on “edge devices” like VPNs, firewalls, and other security appliances. These devices are attractive targets because they sit at the perimeter of a network and often have high-level privileges, making them a perfect entry point for attackers.
By compromising an edge device, adversaries can bypass many traditional security measures and gain a strong foothold inside a target organization. UNC5221 has a well-documented history of this strategy, having previously used other Ivanti zero-days, such as CVE-2023-46805 and CVE-2024-21887, to deploy malware and conduct espionage operations.
