Ivanti has recently disclosed a critical security vulnerability, identified as CVE-2025-22457, affecting its Connect Secure product. This flaw, with a CVSS score of 9.0, is a stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code on affected systems. The vulnerability impacts several Ivanti products, including Connect Secure versions 22.7R2.5 and prior, Pulse Connect Secure versions 9.1R18.9 and prior, Ivanti Policy Secure versions 22.7R1.3 and prior, and ZTA Gateways versions 22.8R2 and prior.
Ivanti has released patches to address this vulnerability:
– Ivanti Connect Secure: Fixed in version 22.7R2.6, released on February 11, 2025.
– Pulse Connect Secure: Fixed in version 22.7R2.6. As this device reached end-of-support on December 31, 2024, customers are advised to contact Ivanti for migration assistance.
– Ivanti Policy Secure: A fix is scheduled for release on April 21, 2025, in version 22.7R1.4.
– ZTA Gateways: A fix is planned for April 19, 2025, in version 22.8R2.2.
The company has acknowledged that a limited number of customers’ Connect Secure and end-of-support Pulse Connect Secure appliances have been exploited. There is currently no evidence of exploitation in Policy Secure or ZTA Gateways. Ivanti recommends that customers monitor their external Integrity Checker Tool (ICT) and look for web server crashes. If ICT results indicate signs of compromise, a factory reset of the appliance is advised, followed by updating to version 22.7R2.6 before returning the appliance to production.
In mid-March 2025, Google-owned Mandiant observed exploitation of CVE-2025-22457, leading to the deployment of sophisticated malware, including an in-memory dropper named TRAILBLAZE and a passive backdoor called BRUSHFIRE. These tools are part of the SPAWN malware suite, which includes components like SPAWNSLOTH, a log tampering utility; SPAWNSNARE, a program for extracting and encrypting the uncompressed Linux kernel image; and SPAWNWAVE, an improved version of SPAWNANT that combines various elements of the SPAWN ecosystem.
The attack chain involves a multi-stage shell script dropper executing TRAILBLAZE, which then injects BRUSHFIRE directly into the memory of a running web process to evade detection. This exploitation establishes persistent backdoor access on compromised appliances, potentially enabling credential theft, further network intrusion, and data exfiltration.
The SPAWN malware ecosystem is attributed to a China-nexus adversary tracked as UNC5221, known for leveraging zero-day flaws in Ivanti Connect Secure devices. This group shares overlaps with other threat clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886. According to the U.S. government, UNC5221 is also assessed to share characteristics with threat groups like APT27, Silk Typhoon, and UTA0178.
Given the severity of this vulnerability and the active exploitation by sophisticated threat actors, it is imperative for organizations using affected Ivanti products to apply the necessary patches promptly. Regular monitoring of system logs and the use of tools like Ivanti’s Integrity Checker Tool can help detect signs of compromise. In cases where exploitation is suspected, performing a factory reset and updating to the latest secure versions is strongly recommended to mitigate potential risks.
