A suspected Chinese cyber-espionage group is exploiting a critical vulnerability in Ivanti’s security products, deploying two new malware strains on compromised systems. The flaw, initially considered low-risk, has now been deemed a severe threat as attackers weaponize it for remote code execution.
Ivanti Reassesses Risk as Exploitation Rises
When Ivanti first patched the buffer overflow vulnerability (CVE-2025-22457) in February, it gave customers little reason for alarm. At the time, the company said the flaw was unlikely to be exploited for remote code execution. That assessment changed this week after Ivanti and its security partners confirmed the bug is actively being used in cyberattacks.
“The vulnerability is a buffer overflow with characters limited to periods and numbers. It was evaluated and determined not to be exploitable for remote code execution or denial of service,” Ivanti said in an April 3 security advisory. “However, we have now learned it is exploitable through sophisticated means and have identified evidence of active exploitation in the wild.”
The flaw affects multiple Ivanti products, including:
- Connect Secure (versions 22.7R2.5 and earlier)
- Policy Secure and ZTA gateways
- The now-unsupported Pulse Connect Secure 9.x
While there are no reports of exploitation in Policy Secure or ZTA, Ivanti still recommends immediate upgrades. Connect Secure users should transition to version 22.7R2.6, and organizations running Pulse Connect Secure should migrate to supported alternatives. A patch for Policy Secure is expected April 21, with an automatic ZTA fix arriving April 19.
Chinese-Linked Group UNC5221 Behind Attacks
Security researchers at Google’s Mandiant division have attributed the ongoing exploitation to UNC5221, a cyber-espionage group with suspected ties to China. The group has a history of targeting Ivanti products, previously leveraging two zero-day vulnerabilities in Ivanti’s VPNs earlier this year.
After exploiting CVE-2025-22457, UNC5221 deploys two new malware families:
- Trailblaze: A memory-resident dropper that loads additional payloads.
- Brushfire: A stealthy backdoor used for persistent access.
Alongside these new tools, UNC5221 continues to use previously identified malware, including:
- Spawnsloth: A log-tampering tool to evade detection.
- Spawnsnare: An encryption utility.
- Spawnant: An installer for additional malware components.
How Attackers Weaponized the Flaw
Mandiant researcher Matt Lin noted that attackers moved quickly, beginning exploitation soon after Ivanti’s February patch. Initially, experts thought the flaw was too limited to be dangerous. The buffer overflow allowed only periods and numbers, seemingly restricting exploitability to a simple denial-of-service attack.
That assumption was wrong.
“Likely by studying the patch and differences in code between ICS 22.7R2.6 and earlier versions, the threat actor figured out a sophisticated way to weaponize the vulnerability and achieve remote code execution,” Lin said.
Mandiant’s investigation found UNC5221 had been exploiting this vulnerability for weeks before Ivanti upgraded its severity rating. The group’s history with Ivanti products suggests a strategic focus on security appliances as entry points for broader espionage operations.
Edge Devices: A Prime Target for Cyber Espionage
UNC5221’s latest campaign highlights a growing trend—attackers targeting edge devices like VPNs, firewalls, and routers. These systems often have privileged access to enterprise networks, making them valuable footholds for adversaries looking to:
- Bypass traditional security defenses.
- Maintain persistent access within networks.
- Move laterally to compromise additional systems.
- Steal sensitive data for espionage or ransomware attacks.
Mandiant has previously tracked UNC5221 exploiting other Ivanti vulnerabilities, including two zero-days patched in January (CVE-2025-0282 and CVE-2025-0283). In a related advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of CVE-2025-0282 to deploy the “Resurge” malware.
Last year, Mandiant reported another UNC5221 campaign leveraging two more Ivanti zero-days (CVE-2023-46805 and CVE-2024-21887). The group used those flaws to drop web shells and other malware, solidifying their presence on victim systems.
The ongoing focus on Ivanti’s technology underscores how attackers adapt quickly. Even vulnerabilities initially deemed low risk can become serious threats if adversaries find a way to exploit them effectively.
