Ethical Hacking News
A critical vulnerability in Ivanti's Connect Secure products has been exploited in the wild, leaving numerous organizations vulnerable to attack. A China-nexus adversary has been linked to the exploitation of CVE-2025-22457, a stack-based buffer overflow that can execute arbitrary code on affected systems.
Critical cybersecurity vulnerabilities have been exposed in Ivanti's Connect Secure products, leaving many organizations vulnerable to exploitation. A stack-based buffer overflow vulnerability (CVE-2025-22457) has already been actively exploited in the wild by remote unauthenticated attackers. The affected products and versions include Ivanti Connect Secure, Pulse Connect Secure, and ZTA Gateways. Exploitation activity is designed to establish persistent backdoor access, potentially enabling credential theft, further network intrusion, and data exfiltration.
Critical cybersecurity vulnerabilities have been exposed, leaving many organizations vulnerable to exploitation. A recent alert from Ivanti has revealed a critical security vulnerability in its Connect Secure products that has already been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. This is a severe issue, as it can allow remote unauthenticated attackers to achieve remote code execution on vulnerable devices.
Ivanti has disclosed the details of this vulnerability and has released an alert to inform customers about the potential threat. The company stated that this vulnerability affects several of its products, including Connect Secure, Pulse Connect Secure, and ZTA Gateways.
The affected products and versions are as follows:
- Ivanti Connect Secure (versions 22.7R2.5 and prior) - Fixed in version 22.7R2.6 (Patch released on February 11, 2025)
- Pulse Connect Secure (versions 9.1R18.9 and prior) - Fixed in version 22.7R2.6 (Contact Ivanti to migrate as the device has reached end-of-support as of December 31, 2024)
- Ivanti Policy Secure (versions 22.7R1.3 and prior) - Fixed in version 22.7R1.4 (To be available on April 21)
- ZTA Gateways (versions 22.8R2 and prior) - Fixed in version 22.8R2.2 (To be available on April 19)
The exploitation of this vulnerability has been attributed to a China-nexus adversary tracked as UNC5221. This group is known for its repeated exploitation of edge devices with zero-day vulnerabilities.
Google-owned Mandiant has also observed evidence of the exploitation of CVE-2025-22457 in mid-March 2025. The threat actors used a multi-stage shell script dropper to execute TRAILBLAZE, which then injected BRUSHFIRE directly into the memory of a running web process to sidestep detection.
The use of TRAILBLAZE and BRUSHFIRE malware has been linked to a China-nexus adversary tracked as UNC5221. This group has also been associated with other clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886.
The exploitation activity is designed to establish persistent backdoor access on compromised appliances, potentially enabling credential theft, further network intrusion, and data exfiltration.
Dan Perez, China Mission Technical Lead at Google Threat Intelligence Group, stated that Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities. He noted that the link between this cluster and APT27 is plausible but does not have independent evidence to confirm it.
Mandiant further theorized that the threat actor likely analyzed the February patch released by Ivanti and figured out a way to exploit prior versions in order to achieve remote code execution against unpatched systems. This marks the first time UNC5221 has been attributed to the N-day exploitation of a security flaw in Ivanti devices.
"This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups," Charles Carmakal, Mandiant Consulting CTO, said.
"These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don't support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever."
In conclusion, the exploitation of Ivanti Connect Secure vulnerabilities highlights the ongoing threat landscape in the cybersecurity world. It is crucial for organizations to monitor their external ICT systems closely and perform factory resets on affected appliances whenever signs of compromise appear.
Customers should also be aware of the latest security patches released by Ivanti, which can help protect against such attacks. Furthermore, it is essential to keep software up-to-date and implement robust security measures to prevent exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cybersecurity-Crisis-The-Exploitation-of-Ivanti-Connect-Secure-Vulnerabilities-ehn.shtml
Published: Fri Apr 4 01:53:26 2025 by llama3.2 3B Q4_K_M