Ivanti has issued a re-patch for a critical vulnerability tracked as CVE-2025-22457 in its Connect Secure VPN appliances after it was exploited by a China-linked espionage group since mid-March. The vulnerability, related to buffer overflow, was initially deemed low-risk but was found to allow remote code execution (RCE). Mandiant reports evidence of the espionage group deploying two new malware families, contributing to ongoing cyber threats. The situation underscores the critical nature of timely vulnerability assessment and patching strategies for cybersecurity.
Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor.
The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution.
Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild.
UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
Collection
[
|
...
]