- Ivanti recently patched a critical seriousness error in Connect Secure VPN
- Mandiant says the error is used in the nature of Chinese actors
- Two new malware -tribes were discovered
Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances, allegedly abused in the nature of Chinese state-sponsored actors.
Researchers at Mandiant published a new security advice that Ivanti discovered and fixed a puff overflow vulnerability in ICS 9.x (not supported) and 22.7R2.5 and earlier versions. Vulnerability is traced as CVE-2025-22457 and has a severity of 9.0/10 (critical).
For starters, no one was aware of the bug’s disturbing potential, Mandiant explained, but later evidence was discovered that remote code execution attacks (RCE) were discovered.
Cyber-spyage
In these attacks, allegedly performed by a threat actor who was traced as UNC5221, two new malware variants were used: Trailblaze and Bushfire.
The former is only a dropper in memory, while the latter is a passive back door. Furthermore, the researchers also saw cyber criminals drop malware from the spawn ecosystem.
UNC5221 is a well-known, China-Nexus espionage actor who was observed on several occasions, targeting vulnerable Ivanti cases. For example, in early January of this year, Ivanti said it saw two lack-cve-2025-0282 and CVE-2025-0283-there were abused by this threat actor. Both affected the Ivanti Connect Secure VPN apparatus.
In these attacks, Spawn variants were also used.
Mandiant says this cve was probably only used in mid -March 2025, a month after the patch was released.
“We believe it is probably the threat actor who studied the patch for the vulnerability of ICS 22.7R2.6 and uncovered through a complicated process, it was possible to utilize 22.7R2.5 and earlier to achieve the performance of the remote code,” the researchers said.
Ivanti has released corrections to the utilized vulnerabilities, and its customers are advised to upgrade their final points without hesitation as the deficiencies are actively targeted.
