Recent cybersecurity assessments have revealed that over 5,113 Ivanti Connect Secure (ICS) VPN appliances are still unpatched and susceptible to active exploitation of a critical vulnerability, CVE-2025-22457. This stack-based buffer overflow flaw enables unauthenticated remote code execution (RCE), posing a significant threat to organizations worldwide.
Global Exposure and Active Exploitation
The Shadowserver Foundation’s scans have identified these vulnerable devices across multiple countries, including the United States, Japan, China, and Australia. The widespread nature of this exposure underscores the urgency for immediate remediation efforts.
CVE-2025-22457, assigned a CVSS score of 9.0, affects several Ivanti products:
– Ivanti Connect Secure: Versions 22.7R2.5 and prior
– Pulse Connect Secure: Versions 9.1R18.9 and prior (End-of-Support as of December 31, 2024)
– Ivanti Policy Secure: Versions 22.7R1.3 and prior
– ZTA Gateways: Versions 22.8R2 and prior
Initially patched on February 11, 2025, the vulnerability was later found to be exploitable through sophisticated means, with evidence of active exploitation dating back to mid-March 2025. Ivanti’s advisory highlighted the complexity of the exploit, noting that the buffer overflow was initially deemed non-exploitable due to character limitations but was later reassessed as a critical threat.
Nation-State Involvement and Malware Deployment
Security researchers at Google’s Mandiant have attributed the exploitation of CVE-2025-22457 to UNC5221, a suspected China-nexus threat actor known for targeting edge devices. Post-exploitation, two new malware families have been observed:
– TRAILBLAZE: An in-memory dropper used during the initial infection stage.
– BRUSHFIRE: A passive backdoor designed for persistent access and espionage.
These tools enable attackers to maintain long-term access to compromised networks, facilitating data exfiltration and intelligence gathering. The campaign has reportedly targeted organizations across multiple countries and sectors.
Recommendations and Mitigation Strategies
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog, urging federal agencies and organizations to take immediate action. Recommended steps include:
1. Conducting Threat Hunting: Utilize Ivanti’s Integrity Checker Tool (ICT) to detect signs of compromise.
2. Performing a Factory Reset: For the highest level of confidence in remediation, a factory reset is advised.
3. Applying Patches Promptly: Update to the latest firmware version (Ivanti Connect Secure 22.7R2.6) to mitigate the vulnerability.
4. Monitoring for Indicators of Compromise (IoCs): Stay vigilant for unusual network activity or unauthorized access attempts.
Organizations are strongly encouraged to follow these recommendations to protect their networks from potential exploitation. The widespread exposure of vulnerable instances highlights the critical need for robust patch management and proactive monitoring.
