The Threat Landscape: A Deep Dive

The cybersecurity community is on high alert following the disclosure of CVE-2025-22457, a critical vulnerability impacting Ivanti Connect Secure VPN appliances. This flaw, a buffer overflow, poses a notable risk as it could allow attackers to remotely execute malicious code on affected systems. The implications are far-reaching, potentially compromising sensitive data and disrupting critical business operations. The Cybersecurity and Infrastructure Security Agency (CISA) recommends organizations implement a layered security approach, combining preventative measures with robust detection and response capabilities, to mitigate such threats effectively.

The earliest signs of exploitation were detected in mid-March 2025. Following successful exploitation, threat actors deployed two newly identified malware families: the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Moreover, the previously reported SPAWN ecosystem of malware, linked to UNC5221, was also observed.

Ivanti and Mandiant encourage all customers to upgrade as soon as possible.

Technical Analysis: Unpacking the Vulnerability

A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. Initially, the vulnerability was believed to be a low-risk denial-of-service issue due to the limited character space of the buffer overflow. However, further analysis revealed a more severe potential.

It is indeed assessed that the threat actor likely studied the patch for the vulnerability in ICS 22.7R2.6 and,through a elaborate process,uncovered that it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution.

Post-Exploitation Activity: Malware Families Deployed

Following successful exploitation of CVE-2025-22457, security researchers observed the deployment of several malware families, each with distinct functionalities:

• TRAILBLAZE: An in-memory only dropper written in bare C, designed to be minimal and fit within a Base64 encoded shell script. It injects a hook into the /home/bin/web process and then injects the BRUSHFIRE passive backdoor into a code cave within that process.
• BRUSHFIRE: A passive backdoor, also written in bare C, that acts as an SSL_read hook. It checks if the returned data begins with a specific string, and if so, XOR decrypts and executes shellcode contained in the data.
• SPAWNSLOTH: A log tampering component tied to the SPAWNSNAIL backdoor. it targets the dslogserver process to disable both local logging and remote syslog forwarding.
• SPAWNSNARE: A utility written in C that targets Linux. It can extract the uncompressed Linux kernel image (vmlinux) into a file and encrypt it using AES without command-line tools.
• SPAWNWAVE: An evolved version of SPAWNANT that combines capabilities from other members of the SPAWN malware ecosystem. SPAWNWAVE overlaps with the publicly reported Spawnchimer and Resurfaces malware families.

The SPAWN malware family has been previously documented, highlighting its capabilities for lateral movement and data exfiltration within compromised networks. Understanding the behavior of these malware families is crucial for effective threat detection and response.

Attribution: The Suspected Threat Actor

The Google Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN ecosystem of malware to UNC5221, a suspected China-nexus espionage actor. This group has a history of targeting edge devices and leveraging zero-day exploits.

GTIG has previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, and also the exploitation CVE-2023-46805 and CVE-2024-21887. Furthermore, GTIG has also observed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances.

UNC5221 has targeted a wide range of countries and verticals during their operations and has leveraged an extensive set of tooling, spanning passive backdoors to trojanized legitimate components on various edge appliances.

GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo.

The group’s use of an obfuscation network of compromised Cyberoam appliances,QNAP devices,and ASUS routers to mask their true source during intrusion operations further demonstrates their sophistication.

Recommendations: Immediate Actions to Take

To mitigate the risk posed by CVE-2025-22457 and related threats, organizations should take the following immediate actions:

• Apply the Patch: Upgrade Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457.
• Run Integrity Checker Tool (ICT): Use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified.
• Monitor for Core Dumps: Actively monitor for core dumps related to the web process.
• Investigate ICT Statedump files: Examine ICT statedump files for anomalies.
• Anomaly Detection of Client TLS Certificates: Conduct anomaly detection of client TLS certificates presented to the appliance.

These steps will help organizations identify and remediate potential compromises, reducing the risk of further exploitation.

Indicators of Compromise (IOCs)

To assist the security community in hunting and identifying activity outlined in this report, indicators of compromise (IOCs) are available in a GTI Collection for registered users.