Ethical Hacking News
A critical security vulnerability has been actively exploited by a suspected China-nexus threat actor, putting Ivanti Connect Secure VPN appliances at risk. The vulnerability, CVE-2025-22457, is a buffer overflow vulnerability that can result in remote code execution. Organizations are urged to upgrade their appliances to version 22.7R2.6 or later as soon as possible.
CVe-2025-22457, a buffer overflow vulnerability in Ivanti Connect Secure VPN appliances version 22.7R2.5 and earlier, has been actively exploited by a suspected China-nexus threat actor. The exploitation occurred from mid-March 2025, leading to the deployment of two new malware families: TRAILBLAZE and BRUSHFIRE. The threat actor used sophisticated tactics, including shell scripts and in-memory only droppers, to gain unauthorized access to compromised systems. Patches for the vulnerability have been released by Ivanti, with recommendations to upgrade appliances to version 22.7R2.6 or later as soon as possible. The exploitation highlights the ongoing sophistication of threat actors and the importance of staying vigilant in securing critical infrastructure.
A recent disclosure by Ivanti has shed light on a critical security vulnerability, CVE-2025-22457, that has been actively exploited by a suspected China-nexus threat actor. The vulnerability, which affects Ivanti Connect Secure ("ICS") VPN appliances version 22.7R2.5 and earlier, is a buffer overflow vulnerability that can result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions.
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025, with subsequent successful exploits leading to the deployment of two newly identified malware families, TRAILBLAZE and BRUSHFIRE. These malware families were designed to be highly stealthy and were leveraged by the threat actor to gain unauthorized access to compromised systems.
The threat actor's exploitation of the vulnerability was not limited to a single point of entry. Instead, it involved a sophisticated campaign that utilized multiple vectors, including shell scripts, in-memory only droppers, and passive backdoors. The use of these tactics suggests that the threat actor had significant knowledge of the Ivanti Connect Secure VPN appliance and its configuration.
The deployment of malware by the threat actor was further complicated by the presence of other malware families, including SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE. These malware families were used to create a sophisticated ecosystem that allowed the threat actor to maintain persistent access to compromised systems.
Despite the significant expertise demonstrated by the threat actor, Ivanti has released patches for the exploited vulnerability and encourages all customers to upgrade their appliances to version 22.7R2.6 or later as soon as possible.
The exploitation of CVE-2025-22457 highlights the ongoing sophistication of threat actors and the importance of vigilance in securing critical infrastructure. The use of zero-day vulnerabilities, such as this one, underscores the need for organizations to stay up-to-date with the latest security patches and to maintain robust incident response capabilities.
In light of these findings, Mandiant recommends that organizations immediately apply the available patch by upgrading Ivanti Connect Secure appliances to version 22.7R2.6 or later. Additionally, organizations should use the external and internal Integrity Checker Tool ("ICT") and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance.
The attribution of the exploitation to a suspected China-nexus espionage actor, UNC5221, underscores the ongoing threat posture of these actors. The use of zero-day vulnerabilities, such as CVE-2025-22457, is consistent with the tactics, techniques, and procedures (TTPs) observed by Google Threat Intelligence Group.
The findings described in this report are part of a broader trend that highlights the importance of staying vigilant in securing critical infrastructure. As threat actors continue to evolve and improve their tactics, it is essential that organizations remain proactive in identifying and addressing vulnerabilities before they can be exploited.
In conclusion, the exploitation of CVE-2025-22457 by a suspected China-nexus threat actor serves as a reminder of the ongoing sophistication of threat actors and the importance of maintaining robust security measures. By staying up-to-date with the latest security patches and maintaining vigilant incident response capabilities, organizations can reduce their risk of being compromised by such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Security-Vulnerability-Exposed-The-China-Nexus-Threat-Actors-Exploitation-of-Ivanti-Connect-Secure-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/
Published: Thu Apr 3 11:21:56 2025 by llama3.2 3B Q4_K_M
