- Hisense's latest laser projector is so sharp and vivid, it may just replace your 4K TV
- If you're planning to upgrade your phone, you might want to buy one now - here's why
- Run LLMs Locally with Docker Model Runner | Docker
- Microsoft unveils 9 new Copilot features - you can try some now
- Nintendo Switch 2 pre-orders delayed, new price hike likely - here's why
Chinese State Hackers Exploiting Newly Disclosed Ivanti Flaw
A Chinese state threat actor is actively exploiting a newly disclosed critical Ivanti vulnerability, according to Mandiant researchers.
The suspected espionage actor has been targeting CVE-2025-22457, a buffer overflow vulnerability that can lead to attackers achieving remote code execution.
The researchers have also observed the deployment of two-newly identified malware families by the group, tracked as UNC5221, following successful exploitation.
A patch for CVE-2025-22457 was released on February 11, 2025, in Ivanti Connect Secure (ICS) version 22.7R2.6. The buffer overflow flaw has limited character space, leading the firm to initially believe it was a low-risk, denial of service vulnerability.
However, Mandiant noted that UNC5221 managed to work out a way to exploit 22.7R2.5 and earlier versions to achieve remote code execution.
The flaw has been given a critical CVSS Score of 9.0.
Active exploitation of the vulnerability in the wild has been observed since mid-March 2025.
Mandiant and Ivanti have urged all ISC customers with versions 22.7R2.6 and lower to apply the previously released patches as soon as possible.
Significant Post-Compromise Activity
The Chinese actor has undertaken significant post-compromise activities following successful exploitation of CVE-2025-22457.
This includes the deployment of two newly identified, memory-resident malware families.
The first of these is a minimal in-dropper called Trailblaze, which is used to inject the backdoor Brushfire – a passive backdoor that hooks SSL functions to receive commands.
Memory-resident malware writes itself directly onto a computer’s system memory, exhibiting few signs of infection, meaning it is very difficult to identify.
Trailblaze is executed by a multi-stage shell script dropper.
A number of malware belonging to the Spawn family have also been deployed by UNC5221, including:
- Spawnsloth: A log tampering component tied to the Spawnsnail backdoor, which targets the dslogserver process to disable both local logging and remote syslog forwarding
- Spawnsnare: A utility that targets Linux systems which can be used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools
- Spawnwave: An evolved version of Spawnant that combines capabilities from other members of the Spawn malware ecosystem
Mandiant warned that this activity is designed to allow the attacker to establish persistent backdoor access on the compromised appliance, potentially enabling credential theft, further network intrusion and data exfiltration.
Continued Chinese Targeting of Edge Devices
UNC5221 has previously been observed undertaking zero-day exploitation of other Ivanti product vulnerabilities, as well as flaws affecting NetScaler ADC and NetScaler Gateway appliances.
This has enabled the espionage actor to target a wide range of countries and verticals during their operations.
The activity is part of broader operations by Chinese-nexus espionage groups to target edge devices, enabling access to a variety of organizations, including those in critical and government sectors. In 2024, such groups undertook extensive exploitation of Ivanti vulnerabilities for this purpose.
Charles Carmakal, CTO at Mandiant, warned: “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups. These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
Read now: Five Eyes Launch Guidance to Improve Edge Device Security
Ivanti Response to New Exploit
Speaking to Infosecurity, Ivanti’s CSO Daniel Spicer highlighted the work the firm is doing to tackle growing targeting of edge devices.
“Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments. To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability,” he noted.
Spicer added: “Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”
This article was updated at 15.15 BST on Friday April 4, 2025, to include an Ivanti statement
