Chinese APT Exploits Ivanti CVE-2025-22457 with Malware

A newly disclosed vulnerability in Ivanti Connect Secure (ICS) VPN appliances has been weaponized in the wild by a Chinese nation-state threat actor, UNC5221. Tracked as CVE-2025-22457, this critical stack-based buffer overflow vulnerability allows unauthenticated remote attackers to execute arbitrary code, posing a significant risk to enterprise networks.

CVE-2025-22457: Critical Buffer Overflow Vulnerability

Ivanti’s Connect Secure VPN, along with Ivanti Policy Secure and ZTA Gateways, are affected by a stack-based buffer overflow vulnerability that received a CVSS score of 9.0 (Critical). The flaw affects versions prior to:

Ivanti released a patch for this vulnerability on February 11, 2025, with the recommendation that customers immediately update to the latest secure versions. Legacy ICS 9.x versions, which are now end-of-support, remain vulnerable and are being actively exploited.

Active Exploitation by UNC5221

Chinese-linked espionage group UNC5221 is actively exploiting CVE-2025-22457. The attacks began in mid-March 2025, with threat actors leveraging this vulnerability to deploy a suite of custom malware tailored for stealth and persistence.

Emerging Malware Ecosystem: TRAILBLAZE, BRUSHFIRE, and SPAWN

Following successful exploitation, the attackers deploy two newly identified malware families:

TRAILBLAZE:
A memory-resident dropper designed to evade traditional detection methods. It injects a stealth backdoor into legitimate ICS processes.

TRAILBLAZE:

BRUSHFIRE:

A passive SSL_read hook backdoor that activates only when specific encrypted strings are received, allowing covert shellcode execution.

In addition, the attackers introduced a modular malware framework dubbed SPAWN, which consists of several specialized components:

SPAWNSLOTH:

Disables logging by targeting the dslogserver process, affecting both local logs and remote syslog forwarding.

MITRE Techniques:

SPAWNSNARE:

A utility that extracts and encrypts Linux kernel images using AES.

MITRE Techniques:

SPAWNWAVE:

A powerful hybrid component combining features from SPAWNSLOTH, SPAWNSNARE, and BRUSHFIRE to maintain stealth and control over compromised systems. These tools work in concert to establish long-term persistence and evade detection, even across system reboots.

MITRE Techniques:

Indicators of Compromise (IOCs)

Below is a compilation of observed IOCs linked to the exploitation of CVE-2025-22457 by UNC5221 and the deployment of TRAILBLAZE, BRUSHFIRE, and SPAWN malware components.

File and Process Artifacts

Network Indicators

SSL Hook Behavior (BRUSHFIRE)

Detection Rules (Example YARA)

Affected Products and Patches

Recommended Actions

Organizations using Ivanti Connect Secure or related products should:

Conclusion

The exploitation of CVE-2025-22457 highlights the growing sophistication of state-backed actors and the critical importance of timely patch management. Organizations relying on Ivanti products must treat this vulnerability as a top-priority threat and take swift action to mitigate risk.

MD5

SHA256

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.