- Ivanti recently repaired a critical gravity failure in the VPN Connection Safe
- Mandiant says that the error is being used in nature by Chinese actors
- Two new malware strains were discovered
Ivanti has recently paved a vulnerability of critical gravity found in its VPN Connect Secure (ICS) appliances that was supposedly abused in nature by actors sponsored by the Chinese state.
Mandiant researchers published a new security notice indicating that Ivanti discovered and set a buffer overflow vulnerability in ICS 9.x (without support) and 22.7R2.5 and previous versions. Vulnerability is tracked as CVE-2025-22457, and has a gravity score of 9.0/10 (critical).
At first, no one was aware of the disruptive potential of the error, Mandiant explained, but later, evidence of execution attacks of the remote code (RCE) was discovered.
Cyberdispone
In these attacks, supposedly made by a tracked threat actor such as UNC5221, two new malware variants were used: Trailblaze and Bushfire.
The first is a dropper only in memory, while the second is a passive back door. In addition, the researchers also saw cybercriminals abandoning malware of the spawning ecosystem as well.
UNC5221 is a known Chinese-Nexus espionage actor who was observed, on multiple occasions, aimed at vulnerable instances of Ivanti. For example, at the beginning of January this year, Ivanti said he saw two failures: CVE-2025-0282 and CVE-2025-0283, being abused by this threat actor. Both impacted the VPN insurance appliances of Ivanti Connect.
In these attacks, disappointment variants were also used.
Mandiant says that this CVE was probably first used in mid -March 2025, a month after the patch was launched.
“We evaluate that the threat actor is likely to study the patch for vulnerability at ICS 22.7R2.6 and discovered through a complicated process, it was possible to exploit 22.7R2.5 and previously achieve the execution of the remote code,” the investigators said.
Ivanti has launched solutions for exploited vulnerabilities and is advised to its clients to update their final points without hesitation, since the defects are being actively directed.
