Chinese Hackers Exploit Ivanti VPN Vulnerability to Deliver Malware Payloads

Ivanti disclosed a critical security vulnerability, CVE-2025-22457, affecting its Connect Secure (ICS) VPN appliances, particularly versions 22.7R2.5 and earlier.

This buffer overflow vulnerability enables attackers to achieve remote code execution when exploited successfully.

Security researchers from Mandiant and Ivanti have confirmed active exploitation of this vulnerability in the wild, targeting ICS 9.X (end-of-life) and earlier versions.

The exploitation has been attributed to UNC5221, a suspected China-nexus espionage group known for its sophisticated cyber operations and history of exploiting zero-day vulnerabilities.

The earliest signs of exploitation were observed in mid-March 2025, with attackers deploying two newly identified malware families TRAILBLAZE and BRUSHFIRE alongside the previously reported SPAWN malware ecosystem.

These tools are designed for espionage and stealthy persistence, enabling attackers to evade detection while maintaining access to compromised systems.

Technical Details of the Exploitation

CVE-2025-22457 was initially assessed as a low-risk denial-of-service vulnerability due to its limited character space.

However, attackers appear to have studied the patch released in February 2025 (ICS version 22.7R2.6) and discovered a complex method to exploit earlier versions for remote code execution.

Following successful exploitation, a shell script dropper is used to execute the TRAILBLAZE in-memory dropper, which injects the BRUSHFIRE passive backdoor into running processes.

This sequence creates temporary files containing process metadata before deleting them to avoid detection.

The dropper operates in a non-persistent manner, requiring re-execution after system reboot.

TRAILBLAZE is a lightweight dropper written in bare C that uses raw syscalls for minimal footprint.

It injects hooks into targeted processes and deploys the BRUSHFIRE backdoor.

BRUSHFIRE, also written in bare C, functions as an SSL_read hook that decrypts and executes shellcode embedded in incoming data streams. If successful, it sends responses back via SSL_write.

Additionally, attackers deployed components from the SPAWN malware ecosystem, including SPAWNSLOTH (log tampering utility), SPAWNSNARE (kernel image extractor and encryptor), and SPAWNWAVE (an evolved implant utility combining features from other SPAWN malware).

These tools demonstrate advanced capabilities for tampering with logs, extracting kernel images, and maintaining stealthy persistence on compromised devices.

Attribution and Broader Implications

The exploitation campaign has been attributed to UNC5221 by Google Threat Intelligence Group (GTIG).

UNC5221 has previously targeted edge devices using zero-day vulnerabilities such as CVE-2023-46805 and CVE-2024-21887.

Their operations span multiple countries and industries, leveraging an extensive toolkit that includes passive backdoors and trojanized legitimate components.

UNC5221’s consistent focus on edge devices underscores their strategic emphasis on exploiting critical infrastructure vulnerabilities.

Their ability to uncover complex exploitation methods highlights their technical expertise and operational tempo.

GTIG anticipates continued efforts by UNC5221 to exploit both zero-day and n-day vulnerabilities on edge devices globally.

To address CVE-2025-22457, Ivanti has released patches for ICS appliances, urging customers to upgrade to version 22.7R2.6 or later immediately.

Organizations are advised to use Ivanti’s Integrity Checker Tool (ICT) for anomaly detection and investigate suspicious activity related to core dumps or TLS certificates presented to appliances.

Active monitoring of systems and timely application of security patches remain critical defenses against such advanced threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!