Ivanti patches serious Connect Secure flaw

2 weeks ago 11

(Image credit: Shutterstock)

Ivanti recently patched a critical severity flaw in Connect Secure VPN
Mandiant says the bug is being used in the wild by Chinese actors
Two new malware strains were discovered

Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances which was allegedly being abused in the wild by Chinese state-sponsored actors.

Researchers at Mandiant published a new security advisory stating Ivanti discovered and fixed a buffer overflow vulnerability in ICS 9.X (unsupported) and 22.7R2.5 and earlier versions. The vulnerability is tracked as CVE-2025-22457, and carries a severity score of 9.0/10 (critical).

At first, no one was aware of the bug’s disruptive potential, Mandiant explained, but later - evidence of remote code execution (RCE) attacks were discovered.

Cyber-espionage

In these attacks, allegedly conducted by a threat actor tracked as UNC5221, two new malware variants were used: TRAILBLAZE, and BUSHFIRE.

The former is an in-memory only dropper, while the latter is a passive backdoor. Furthermore, the researchers saw cybercriminals dropping malware from the SPAWN ecosystem, as well.

UNC5221 is a known, China-nexus espionage actor that was observed, on multiple occasions, targeting vulnerable Ivanti instances. For example, in early January this year, Ivanti said it saw two flaws - CVE-2025-0282 and CVE-2025-0283 - being abused by this threat actor. Both were impacting Ivanti Connect Secure VPN appliances.

In these attacks, SPAWN variants were also used.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mandiant says that this CVE was probably first used in mid-March 2025, a month after the patch was released.

“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the researchers said.

Ivanti has released fixes for the exploited vulnerabilities and its customers are advised to upgrade their endpoints without hesitation, since the flaws are being actively targeted.

Ivanti warns another critical security flaw is being attacked
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article