CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
do son 
Ivanti has recently disclosed a critical security vulnerability, identified as CVE-2025-22457, affecting several of its widely-used products. The vulnerability impacts Ivanti Connect Secure (ICS) VPN appliances, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways.
The core issue is a stack-based buffer overflow that can be exploited by an unauthenticated remote attacker to achieve remote code execution. This is a severe issue, as it allows attackers to potentially take full control of affected systems. The products affected include:
- Ivanti Connect Secure (versions 22.7R2.5 and earlier)
- Pulse Connect Secure 9.1x (End-of-Support)
- Ivanti Policy Secure (before version 22.7R1.4)
- ZTA Gateways (before version 22.8R2.2)
The severity of this vulnerability is highlighted by its CVSS score of 9.0, which is considered critical.
Ivanti has confirmed that there have been active exploitations of this vulnerability in the wild. “We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure,” the company stated.
According to Mandiant, the exploitation of CVE-2025-22457 has been linked to the deployment of new malware families, including TRAILBLAZE and BRUSHFIRE, along with the previously reported SPAWN ecosystem of malware.
The exploitation of CVE-2025-22457 and the deployment of the SPAWN malware ecosystem have been attributed to UNC5221, a suspected China-nexus espionage actor. This group has a history of targeting edge devices and has been observed conducting zero-day exploitation in the past.
The observed attack chain follows this general pattern:
- Exploit CVE-2025-22457 to trigger buffer overflow
- Drop a shell script to identify vulnerable /home/bin/web processes
- Inject TRAILBLAZE (Base64-encoded dropper) into memory
- TRAILBLAZE injects BRUSHFIRE into a “listening” web process
- Use SSL hooks to send, receive, and execute encrypted shellcode
Additionally, attackers tamper with logs using SPAWNSLOTH and hide encrypted system components using SPAWNSNARE and SPAWNWAVE, all part of UNC5221’s evolving arsenal.
Ivanti has urged its customers to take immediate action to mitigate the risks associated with this vulnerability. The available solutions vary depending on the affected product:
- Ivanti Connect Secure: Customers are advised to upgrade to version 22.7R2.6. Ivanti also warns, “If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.”
- Pulse Connect Secure 9.1x: As this version has reached its end-of-support, Ivanti recommends that customers contact them to migrate to a supported solution. The company emphasizes, “Ivanti cannot provide guidance to customers to stay on an unsupported version” and that “Customers’ only option is to migrate to a secure platform to ensure their security.”
- Ivanti Policy Secure: A patch is in development and will be available on April 21.
- Ivanti ZTA Gateways: A patch is also in development and will be automatically applied to environments on April 19.
Related Posts:
- CVE-2024-55661: RCE Vulnerability Discovered in Laravel Pulse Monitoring Tool
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
- Critical Vulnerabilities Discovered in Ivanti Connect Secure and Policy Secure
- CISA Adds Three Actively Exploited Security Vulnerabilities to KEV Catalog, Urges Urgent Patching
- PoC Exploit Released for Ivanti Connect Secure Flaw CVE-2025-0282 Used in Attacks
