Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025. While Ivanti has yet to disclose more details regarding CVE-2025-22457 attacks, Mandiant and Google Threat Intelligence Group (GTIG) security researchers revealed today that a suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since at least mid-March 2025. Most recently, the Chinese hackers exploited CVE-2025-0282, another Ivanti Connect Secure buffer overflow, to drop new Dryhook and Phasejam malware on compromised VPN appliances. As CISA and the FBI warned in January 2025, attackers are still breaching vulnerable networks using exploits targeting Ivanti Cloud Service Appliances (CSA) security vulnerabilities patched since September. Multiple other Ivanti security flaws have been exploited as zero-days over the last year in widespread attacks against the company's VPN appliances and ICS, IPS, and ZTA gateways. Threat intelligence company Volexity said in January 2024 that UNC5221 had backdoored over 2,100 Ivanti appliances using the GIFTEDVISITOR webshell in attacks chaining the two zero days. "The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn't meet the requirements of denial of service," Ivanti said on Thursday. The company patched the vulnerability on February 11, 2025, with the release of Ivanti Connect Secure 22.7R2.6 after initially tagging it as a product bug. One year ago, the hacking group also chained two Connect Secure and Policy Secure zero-days (CVE-2023-46805 and CVE-2024-21887) to remotely execute arbitrary commands on targeted ICS VPN and IPS network access control (NAC) appliances. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways. "However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. UNC5221 is known for targeting zero-day vulnerabilities in network edge devices since 2023, including various Ivanti and NetScaler appliances.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 03 Apr 2025 17:45:22 +0000