A critical security vulnerability in Ivanti Connect Secure VPN appliances (CVE-2025-22457) is being actively exploited by suspected Chinese state-sponsored hackers, according to recent reports from watchTowr and Google’s Mandiant security team.
The vulnerability, initially classified as low-risk when patched in February 2025, is now confirmed to allow remote code execution through a simple buffer overflow attack that can be triggered by manipulating the X-Forwarded-For HTTP header with a string of numbers and periods.
The flaw affects Ivanti Connect Secure versions 22.7R2.5 and earlier, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2. According to watchTowr’s analysis, the exploitation process is surprisingly simple:
“This is an incredibly simple request, and it is somewhat surprising that Ivanti didn’t find the vulnerability during routine fuzz testing. One would imagine that even the most basic of HTTP fuzzers would cause a crash,"” the watchTowr report states.
Ivanti initially believed the vulnerability was unexploitable for remote code execution because the payload can only contain digits and periods. However, sophisticated attackers proved this assessment wrong, with evidence of active exploitation dating back to mid-March 2025.
Attribution and Post-Exploitation Activities
Mandiant attributes the attacks to UNC5221, a suspected China-nexus espionage actor previously linked to zero-day exploitations of edge devices since 2023. After successful exploitation, the attackers deploy several malware families, including:
- TRAILBLAZE: An in-memory dropper that uses raw syscalls to maintain a minimal footprint
- BRUSHFIRE: A passive backdoor that hooks into SSL_read functions
- SPAWN ecosystem: Previously documented malware, including SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE components
The attackers also modify the Integrity Checker Tool (ICT) to evade detection and attempt to ensure persistence across the victim’s network.
Delayed Discovery and Response
What makes this vulnerability particularly concerning is how Ivanti initially misidentified it as a low-priority issue.
According to the watchTowr report, Ivanti stated:
“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements for denial of service.”
This assessment proved incorrect when threat actors reverse-engineered the February 2025 patch and developed a viable exploitation technique. The earliest observed attacks occurred in mid-March, giving attackers several weeks of opportunity before public disclosure on April 3, 2025.
Recommendations for Organizations
Security experts recommend organizations take immediate action:
- Upgrade Ivanti Connect Secure appliances to version 22.7R2.6 or later
- Use both external and internal Integrity Checker Tools (ICT) to identify suspicious activity
- Monitor for core dumps related to the web process
- Investigate ICT statedump files
- Conduct anomaly detection of client TLS certificates presented to the appliance.
Mandiant’s security team warns that UNC5221 will likely continue pursuing zero-day exploitation of edge devices “based on their consistent history of success and aggressive operational tempo."
“This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws,” Mandiant researchers noted in their report.”
Organizations using affected Ivanti products should prioritize patching immediately, as exploitation activity is expected to increase following public disclosure.