Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
China-linked group UNC5221 has exploited a zero-day vulnerability in Ivanti Connect Secure since mid-March 2025, deploying malware families that were not previously observed in the wild. The incident highlights the ongoing threat posed by zero-day exploits and the importance of keeping software up-to-date.
In a recent development that has sent shockwaves through the cybersecurity community, it has been reported that a China-linked group known as UNC5221 has exploited a zero-day vulnerability in Ivanti Connect Secure since mid-March 2025. The vulnerability, which has been tracked as CVE-2025-22457, is a stack-based buffer overflow that allows for remote unauthenticated remote code execution.
The vulnerability affects Ivanti Connect Secure version 22.7R2.5 and earlier, as well as Pulse Connect Secure 9.x (end-of-support as of December 31, 2024), Ivanti Policy Secure, and ZTA gateways. It is worth noting that the vulnerability was not disclosed by Ivanti until the group's exploitation attempts were observed by cybersecurity experts at Mandiant and Google Threat Intelligence Group (GTIG).
The experts attributed the exploration attempts to UNC5221, a suspected China-nexus espionage actor that has been linked to zero-day exploits of edge devices dating back to 2023. The group is believed to have exploited the vulnerability in order to deploy TRAILBLAZE and BRUSHFIRE malware, along with SPAWN malware.
According to Google GTIG's report, the earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, the group observed the deployment of two newly identified malware families: the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor.
Ivanti addressed the vulnerability with the release of Connect Secure 22.7R2.6 (released February 11, 2025). The company stated that a limited number of customers whose Ivanti Connect Secure (22.7R2.5 and earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure.
Ivanti encouraged all customers to ensure they are running Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability. The company also urged admins to monitor Integrity Checker Tool (ICT) for web server crashes and reset compromised devices before redeploying them with version 22.7R2.6.
Google GTIG's report highlighted the sophistication of UNC5221's exploitation attempt, noting that the group was able to deploy malware families that were not previously observed in the wild. The group's tactics, techniques, and procedures (TTPs) are consistent with those of other China-linked espionage actors.
The incident serves as a reminder of the ongoing threat posed by zero-day exploits and the importance of keeping software up-to-date. It also highlights the need for increased vigilance in monitoring network activity and responding quickly to potential security incidents.
In conclusion, the exploitation of Ivanti Connect Secure by UNC5221 demonstrates the continued evolution of advanced persistent threats (APTs) and the importance of staying vigilant in the face of emerging cybersecurity threats.
| Follow @EthHackingNews |