China-backed espionage group hits Ivanti customers again
Ivanti customers are confronting another string of attacks linked to an actively exploited vulnerability in the company’s VPN products. Mandiant said a nation-state backed espionage group linked to China has been exploiting the critical vulnerability, CVE-2025-22457, since mid-March.
The threat group, which Google Threat Intelligence Group tracks as UNC5221, has a knack for exploiting Ivanti products and has successfully — and repeatedly — attacked the vendor’s customers since 2023. UNC5221 previously exploited a trio of zero-day vulnerabilities, including CVE-2025-0282, CVE-2023-46805 and CVE-2024-21887.
Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Ivanti has made 15 appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.
“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting CTO Charles Carmakal said in a statement. “The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
The latest attacks involve a vulnerability in Ivanti Connect Secure that the vendor released a patch for Feb. 11, but the company didn’t disclose the vulnerability until Thursday.
The software defect was considered low risk at the time, but UNC5221 studied the patch and found a way to exploit CVE-2025-22457 in earlier versions of the product, Mandiant said in a blog post Thursday.
“Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild,” Ivanti said in a security advisory. “We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”
A “limited number of customers” using Ivanti Connect Secure 22.7R2.5 or earlier versions and Pulse Connect Secure 9.1x appliances, which are no longer supported or receiving code changes, have been exploited, Ivanti said. The stack-based overflow vulnerability allows attackers to achieve remote code execution.
The vulnerability also affects Ivanti Policy Secure and Ivanti ZTA Gateways, though the vendor said it’s not aware of any exploitation in those products. Ivanti said patches for those products are in development and expected to be released later this month.
“Network security devices and edge devices are a focus of sophisticated and highly persistent threat actors,” an Ivanti spokesperson said in an email.
“We seek to go above and beyond in providing detailed information to defenders to ensure they can take every possible step to secure their environments,” the spokesperson added. “We have continued to meaningfully expand and enhance the Ivanti Security team with highly skilled security specialists to meet the evolving needs of this landscape.”
During its investigation of post-exploitation activity, Mandiant observed UNC5221 deploying two newly identified malware families: the Trailblaze in-memory only dropper and the Brushfire passive backdoor. Researchers also observed various Spawn malware and UNC5221’s use of a modified version of Ivanti’s Integrity Checker Tool, which allowed the group to evade detection.
“China-nexus espionage actors regularly surge their exploitation activity once they are discovered and publicly outed,” Carmakal said in a LinkedIn post. “We expect they will likely try to compromise more victims in the coming days before organizations have the opportunity to patch.”
