Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability 

Uploaded on 2025-04-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The software firm Ivanti has disclosed a critical vulnerability in several of its gateway products and the Mandiant Incident Response team has revealed that hackers, with links to China, have been exploiting the bug to deploy two newly discovered forms of malware.

Mandiant and VMware Product Security have found UNC3886, a highly advanced Chinese espionage group, has been exploiting CVE-2023-34048 as far back as late 2021. 

Now, Ivanti has confirmed  that a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways could lead to remote code execution.

Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Indeed, Ivanti has more than a dozen appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.  

“This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug,” Ivanti published in its advisory.  

Ivanti said it was aware that customers were continuing to use Pulse Connect Secure 9.1x, which went end-of-life in December 2024, and that these devices were being actively exploited. “At the time of disclosure, we are not aware of any exploitation of Policy Secure or ZTA gateways, which have meaningfully reduced risk from this vulnerability,” Ivanti said.

The following product versions are currently vulnerable:

  • Ivanti Connect Secure 22.7R2.5 and prior versions.
  • Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior versions.
  • Ivanti Policy Secure 22.7R1.3 and prior versions.
  • ZTA Gateways 22.8R2 and prior versions

Mandiant has issued an update goes into more detail on the nature of the exploitation, which it believes is being carried out by Chinese advanced persistent threat UNC5221. “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting’s chief technology officer, Charles Carmakal said “These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever.”

The two new malware that Mandiant has identified  as Trailblaze and Brushfire, which are being used in conjunction with the Spawn family of malware.

  • Trailblaze is a small in-memory dropper designed to fit within a shell script in Base64. Its function is to inject the Brushfire backdoor, which is capable of running further malicious shellcode.
  • SpawnSloth can disable local and remote logging, while SpawnSnare can extract an uncompressed Linux kernel image before encrypting it.

The Google Threat Intelligence Group has observed UNC5221 targeting similar vulnerabilities in the past, and its tooling matches that observed in the current campaign.“GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo,” Mandiant said in a blog post.

According to cyber security firm Rapid7, Ivanti customers “should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur”. “Ivanti’s advisory notes that ‘Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.’ Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results,” Rapid7 said.

Ivanti is working with Mandiant to provide users with additional information regarding this recently addressed vulnerability. They say the the vulnerability was been fixed and in ICS 22.7R2.6, released in February and that customers running this versions in accordance with the guidance provided have a "significantly reduced risk".

Ivanti  |   Google   |    CyberDaily  |    Cyberscoop   |    HackerNews   |   Infosecurity Magazine 

Image: @GoIvanti

You Might Also Read:

Chinese Hackers Undertaking A Global Infiltration Campaign:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible







 

« Traditional Cyber Insurance Isn’t Built For AI-Driven Attacks
AI Uncovers A Cause Of Alzheimer’s Disease »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Zimperium

Zimperium

Zimperium offers enterprise class protection for mobile devices against the next generation of advanced mobile attacks.

Owl Cyber Defense

Owl Cyber Defense

Owl patented DualDiode Technology enables hardware-enforced network segmentation and deterministic, one-way transfer of all data types and file sizes.

OIC-CERT

OIC-CERT

OIC-CERT is the Computer Emergency Response Team for Organisation of Islamic Cooperation (OIC) member countries.

Simula Research Laboratory

Simula Research Laboratory

Simula Research Laboratory carries out research in the fields of communication systems, scientific computing and software engineering.

BehavioSec

BehavioSec

BehavioSec uses the way your customers type, swipe, and hold their devices, and enables them to authenticate themselves through their own behavior patterns.

Trinity Cyber

Trinity Cyber

Trinity Cyber’s patent-pending technology stops attacks before they reach internal networks,reducing risk and increasing cost to adversaries.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

Speedinvest

Speedinvest

Speedinvest is one of Europe’s most active early-stage investors with a focus on Deep Tech, Fintech, Industrial Tech, Network Effects, and Digital Health.

Clear Skye

Clear Skye

Clear Skye, an Identity Access and Management (IAM) software company, reimagines enterprise identity access and risk management software to make a complicated problem easier to manage.

Anonomatic

Anonomatic

Anonomatic’s mission is to make data privacy secure, simple and cost effective. We are Data and Privacy Experts who are passionate about helping organizations solve PII compliance.

Zilla Security

Zilla Security

Zilla combines identity governance with cloud security to deliver comprehensive access visibility, reviews, lifecycle management, and policy-based security remediation.

Cyberani Solutions

Cyberani Solutions

Cyberani Solutions was created to fulfill the cybersecurity needs of industry and government in Saudi Arabia, and across the Middle East and North Africa regions.

Endor Labs

Endor Labs

Endor Labs gives developers and security teams the context they need to prioritize open source risk.

Clango

Clango

Clango employs an identity-centric approach to optimizing your cybersecurity investment while minimizing risk.

FOSSA

FOSSA

FOSSA is a leading SBOM (software bill of materials) and software supply chain risk management platform.