Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability 

Uploaded on 2025-04-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The software firm Ivanti has disclosed a critical vulnerability in several of its gateway products and the Mandiant Incident Response team has revealed that hackers, with links to China, have been exploiting the bug to deploy two newly discovered forms of malware.

Mandiant and VMware Product Security have found UNC3886, a highly advanced Chinese espionage group, has been exploiting CVE-2023-34048 as far back as late 2021. 

Now, Ivanti has confirmed  that a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways could lead to remote code execution.

Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Indeed, Ivanti has more than a dozen appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.  

“This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug,” Ivanti published in its advisory.  

Ivanti said it was aware that customers were continuing to use Pulse Connect Secure 9.1x, which went end-of-life in December 2024, and that these devices were being actively exploited. “At the time of disclosure, we are not aware of any exploitation of Policy Secure or ZTA gateways, which have meaningfully reduced risk from this vulnerability,” Ivanti said.

The following product versions are currently vulnerable:

  • Ivanti Connect Secure 22.7R2.5 and prior versions.
  • Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior versions.
  • Ivanti Policy Secure 22.7R1.3 and prior versions.
  • ZTA Gateways 22.8R2 and prior versions

Mandiant has issued an update goes into more detail on the nature of the exploitation, which it believes is being carried out by Chinese advanced persistent threat UNC5221. “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting’s chief technology officer, Charles Carmakal said “These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever.”

The two new malware that Mandiant has identified  as Trailblaze and Brushfire, which are being used in conjunction with the Spawn family of malware.

  • Trailblaze is a small in-memory dropper designed to fit within a shell script in Base64. Its function is to inject the Brushfire backdoor, which is capable of running further malicious shellcode.
  • SpawnSloth can disable local and remote logging, while SpawnSnare can extract an uncompressed Linux kernel image before encrypting it.

The Google Threat Intelligence Group has observed UNC5221 targeting similar vulnerabilities in the past, and its tooling matches that observed in the current campaign.“GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo,” Mandiant said in a blog post.

According to cyber security firm Rapid7, Ivanti customers “should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur”. “Ivanti’s advisory notes that ‘Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.’ Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results,” Rapid7 said.

Ivanti is working with Mandiant to provide users with additional information regarding this recently addressed vulnerability. They say the the vulnerability was been fixed and in ICS 22.7R2.6, released in February and that customers running this versions in accordance with the guidance provided have a "significantly reduced risk".

Ivanti  |   Google   |    CyberDaily  |    Cyberscoop   |    HackerNews   |   Infosecurity Magazine 

Image: @GoIvanti

You Might Also Read:

Chinese Hackers Undertaking A Global Infiltration Campaign:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible







 

« Traditional Cyber Insurance Isn’t Built For AI-Driven Attacks
AI Uncovers A Cause Of Alzheimer’s Disease »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Akin Gump Strauss Hauer & Feld

Akin Gump Strauss Hauer & Feld

Akin is a leading global law firm providing innovative legal services and business solutions to individuals and institutions. Practice areas include Cybersecurity, Privacy and Data Protection.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

Cloud Foundry Foundation (CFF)

Cloud Foundry Foundation (CFF)

Cloud Foundry supports the full application development lifecycle, from inception, through all testing stages, to deployment.

Astra Security

Astra Security

Astra's website security solution provides real-time protection against malware, hackers, SQLi, XSS, DDoS, LFI and RFI.

RedLock

RedLock

The RedLock Cloud 360TM platform correlates disparate security data sets to provide a unified view of risks across fragmented cloud environments.

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC)

Cyber Defense Initiative Conference (CDIC) is one of the most distinguished Cybersecurity, Privacy and Information Security Conference in Thailand and Southeast Asia.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

Healthcare Fraud Shield (HCFS)

Healthcare Fraud Shield (HCFS)

The focus of Healthcare Fraud Shield is solely on healthcare fraud prevention and payment integrity with a successful approach based on many unique advantages we deliver to our clients.

UMBRA

UMBRA

UMBRA is solely concerned with protecting governments against Nation State attacks. We are not a consumer or enterprise company.

Pacific Cyber Security Operational Network (PaCSON)

Pacific Cyber Security Operational Network (PaCSON)

PaCSON is an operational cyber security network of regional working-level cyber security experts in the Pacific.

Mr Backup (MRB)

Mr Backup (MRB)

MRB offers Data Protection as a Service for businesses looking to reduce the time, cost and complexity of securing your company data.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

SignalFire

SignalFire

SignalFire invest across both enterprise and consumer sectors at the seed and early growth stages.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

B2Bcert

B2Bcert

B2BCERT one of the top companies offering ISO 9001, ISO 14001, ISO 45001, ISO 22000, ISO 27001, ISO 20000,CE Marking, HACCP, and other globally accepted standards and Management solutions.

Cyscomply

Cyscomply

Cyscomply is an AI-powered self-assessment platform to identify gaps, benchmark against global standards and take the right action. You can assess against NIST CSF, DORA, ISO 27001, NIST 800-171.