A critical vulnerability, CVE-2025-22457, has been identified in Ivanti Connect Secure (ICS), Pulse Connect Secure (PCS), Ivanti Policy Secure, and ZTA Gateways. This stack-based buffer overflow allows remote, unauthenticated attackers to execute arbitrary code on affected devices. The flaw is currently being actively exploited by a suspected Chinese advanced persistent threat (APT) group, UNC5221, to deploy custom malware families, TRAILBLAZE and BRUSHFIRE, facilitating persistent access and deep network intrusion.
Vulnerability Details:
- CVE ID: CVE-2025-22457
- CVSS Score: 9.0 (Critical)
- Affected Products:
- Ivanti Connect Secure (ICS) versions 22.7R2.5 and earlier
- Pulse Connect Secure (PCS) versions 9.1R18.9 and earlier (End-of-Support as of December 31, 2024)
- Ivanti Policy Secure versions 22.7R1.3 and earlier
- ZTA Gateways versions 22.8R2 and earlier
- Vulnerability Type: Stack-Based Buffer Overflow → Remote Code Execution (RCE)
- Exploitation Status: Actively Exploited in the Wild
Exploitation Mechanics:
The vulnerability resides in the way affected Ivanti products handle specific inputs, leading to a stack-based buffer overflow. By sending specially crafted requests, attackers can overwrite critical memory regions, allowing for the execution of arbitrary code with elevated privileges. This exploitation does not require authentication, making it particularly severe for internet-exposed devices.
Malware Deployed via Exploitation:
- TRAILBLAZE
- Type: In-memory dropper
- Functionality:
- Injects the BRUSHFIRE backdoor directly into the memory of running processes to evade detection.
- BRUSHFIRE
- Type: Passive backdoor
- Functionality:
- Provides persistent access to compromised devices.
- Facilitates credential theft and further network intrusion.
Impact:
- Unauthenticated Remote Code Execution:
- Attackers can gain full control of the affected device without needing valid credentials.
- Deployment of Persistent Malware:
- Successful exploitation allows for the installation of TRAILBLAZE and BRUSHFIRE malware, ensuring long-term access and control.
- Credential Theft and Network Compromise:
- The deployed malware enables attackers to harvest sensitive information, including credentials, and facilitates lateral movement within the network.
Mitigation Recommendations:
- Immediate Patching:
- Ivanti Connect Secure (ICS):
- Upgrade to version 22.7R2.6 or later.
- Pulse Connect Secure (PCS):
- As PCS 9.x has reached end-of-support, contact Ivanti for assistance in migrating to a supported platform.
- Ivanti Policy Secure:
- Upgrade to version 22.7R1.4, available from April 21, 2025.
- ZTA Gateways:
- Upgrade to version 22.8R2.2, available from April 19, 2025.
- Ivanti Connect Secure (ICS):
- Detection and Monitoring:
- Integrity Checker Tool (ICT):
- Run Ivanti's external ICT to detect signs of compromise.
- Monitor for web server crashes and unexpected core dumps related to web processes.
- Log Analysis:
- Review logs for anomalies, especially related to web processes and authentication events.
- Integrity Checker Tool (ICT):
- Incident Response:
- If signs of compromise are detected:
- Perform a factory reset on the appliance.
- Reconfigure the device using the updated, patched version.
- If signs of compromise are detected:
- Network Segmentation and Access Control:
- Restrict access to management interfaces of affected devices to trusted networks only.
- Implement robust network segmentation to limit potential lateral movement by attackers.
Vendor and Security Community Recommendations:
- Ivanti:
- Released patches and mitigation guidance for affected products.
- Advises immediate application of updates and monitoring using the ICT.
- Mandiant (Google):
- Attributes exploitation to UNC5221, a suspected China-nexus APT group.
- Recommends enhanced monitoring for signs of the TRAILBLAZE and BRUSHFIRE malware families.
CVE-2025-22457 poses a significant risk to organizations utilizing affected Ivanti products.
- References:
Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 - Security-update-pulse-connect-secure-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways
- Rapid7_blog_post
- China-nexus-exploiting-critical-ivanti-vulnerability
- Ivanti-vpn-customers-targeted-via-unrecognized-rce-vulnerability-cve-2025-22457
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.