China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability
Summary:
On April 3, 2025, Ivanti disclosed a critical buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) VPN appliances versions 22.7R2.5 and earlier. Tracked as CVE-2025-22457, the flaw can be exploited by actors for remote code execution. Evidence of active exploitation has been observed since mid-March 2025, targeting both end-of-life ICS 9.X and vulnerable 22.7R2.5 versions. Exploitation of the flaw has led to the deployment of several malware families, including TRAILBLAZE (an in-memory dropper) and BRUSHFIRE (a passive backdoor). Mandiant has observed a shell script being used to execute the TRAILBLAZE dropper. This dropper is designed to inject BRUSHFIRE into a running /home/bin/web process with the aim of evading detection from endpoint security solutions. The exploitation of CVE-2025-22457 has also led to the deployment of the SPAWN malware ecosystem. This ecosystem includes components like SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE, which are designed to tamper with logs, extract and encrypt sensitive data, and provide backdoor access to attackers.
Security Officer Comments:
The Google Threat Intelligence Group (GTIG) has attributed the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN malware ecosystem to the suspected China-nexus espionage group, UNC5221. This group has a history of exploiting zero-day vulnerabilities, including CVE-2025-0282, CVE-2023-46805, CVE-2024-21887, and CVE-2023-4966, targeting a wide range of systems, particularly edge devices. UNC5221 has used various malware tools, from passive backdoors to trojanized components, and employs sophisticated techniques to mask their operations, often leveraging compromised devices like Cyberoam appliances, QNAP devices, and ASUS routers. Similar to previous intrusions attributed to UNC5221, the latest attacks also attempted to modify the Integrity Checker Tool in an effort to evade detection. Overall, GTIG assesses that UNC5221 will continue exploiting edge devices with zero-day and n-day vulnerabilities due to their successful operational history, highlighting the persistent threat posed by this group.
Suggested Corrections:
Mandiant recommends that organizations immediately apply the available patch by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457. Additionally, organizations should use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance.
Link(s):
https://cloud.google.com/blog/topic...exus-exploiting-critical-ivanti-vulnerability
On April 3, 2025, Ivanti disclosed a critical buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) VPN appliances versions 22.7R2.5 and earlier. Tracked as CVE-2025-22457, the flaw can be exploited by actors for remote code execution. Evidence of active exploitation has been observed since mid-March 2025, targeting both end-of-life ICS 9.X and vulnerable 22.7R2.5 versions. Exploitation of the flaw has led to the deployment of several malware families, including TRAILBLAZE (an in-memory dropper) and BRUSHFIRE (a passive backdoor). Mandiant has observed a shell script being used to execute the TRAILBLAZE dropper. This dropper is designed to inject BRUSHFIRE into a running /home/bin/web process with the aim of evading detection from endpoint security solutions. The exploitation of CVE-2025-22457 has also led to the deployment of the SPAWN malware ecosystem. This ecosystem includes components like SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE, which are designed to tamper with logs, extract and encrypt sensitive data, and provide backdoor access to attackers.
Security Officer Comments:
The Google Threat Intelligence Group (GTIG) has attributed the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN malware ecosystem to the suspected China-nexus espionage group, UNC5221. This group has a history of exploiting zero-day vulnerabilities, including CVE-2025-0282, CVE-2023-46805, CVE-2024-21887, and CVE-2023-4966, targeting a wide range of systems, particularly edge devices. UNC5221 has used various malware tools, from passive backdoors to trojanized components, and employs sophisticated techniques to mask their operations, often leveraging compromised devices like Cyberoam appliances, QNAP devices, and ASUS routers. Similar to previous intrusions attributed to UNC5221, the latest attacks also attempted to modify the Integrity Checker Tool in an effort to evade detection. Overall, GTIG assesses that UNC5221 will continue exploiting edge devices with zero-day and n-day vulnerabilities due to their successful operational history, highlighting the persistent threat posed by this group.
Suggested Corrections:
Mandiant recommends that organizations immediately apply the available patch by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457. Additionally, organizations should use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance.
Link(s):
https://cloud.google.com/blog/topic...exus-exploiting-critical-ivanti-vulnerability