Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability 

Uploaded on 2025-04-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The software firm Ivanti has disclosed a critical vulnerability in several of its gateway products and the Mandiant Incident Response team has revealed that hackers, with links to China, have been exploiting the bug to deploy two newly discovered forms of malware.

Mandiant and VMware Product Security have found UNC3886, a highly advanced Chinese espionage group, has been exploiting CVE-2023-34048 as far back as late 2021. 

Now, Ivanti has confirmed  that a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways could lead to remote code execution.

Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Indeed, Ivanti has more than a dozen appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.  

“This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug,” Ivanti published in its advisory.  

Ivanti said it was aware that customers were continuing to use Pulse Connect Secure 9.1x, which went end-of-life in December 2024, and that these devices were being actively exploited. “At the time of disclosure, we are not aware of any exploitation of Policy Secure or ZTA gateways, which have meaningfully reduced risk from this vulnerability,” Ivanti said.

The following product versions are currently vulnerable:

  • Ivanti Connect Secure 22.7R2.5 and prior versions.
  • Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior versions.
  • Ivanti Policy Secure 22.7R1.3 and prior versions.
  • ZTA Gateways 22.8R2 and prior versions

Mandiant has issued an update goes into more detail on the nature of the exploitation, which it believes is being carried out by Chinese advanced persistent threat UNC5221. “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting’s chief technology officer, Charles Carmakal said “These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever.”

The two new malware that Mandiant has identified  as Trailblaze and Brushfire, which are being used in conjunction with the Spawn family of malware.

  • Trailblaze is a small in-memory dropper designed to fit within a shell script in Base64. Its function is to inject the Brushfire backdoor, which is capable of running further malicious shellcode.
  • SpawnSloth can disable local and remote logging, while SpawnSnare can extract an uncompressed Linux kernel image before encrypting it.

The Google Threat Intelligence Group has observed UNC5221 targeting similar vulnerabilities in the past, and its tooling matches that observed in the current campaign.“GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo,” Mandiant said in a blog post.

According to cyber security firm Rapid7, Ivanti customers “should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur”. “Ivanti’s advisory notes that ‘Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.’ Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results,” Rapid7 said.

Ivanti is working with Mandiant to provide users with additional information regarding this recently addressed vulnerability. They say the the vulnerability was been fixed and in ICS 22.7R2.6, released in February and that customers running this versions in accordance with the guidance provided have a "significantly reduced risk".

Ivanti  |   Google   |    CyberDaily  |    Cyberscoop   |    HackerNews   |   Infosecurity Magazine 

Image: @GoIvanti

You Might Also Read:

Chinese Hackers Undertaking A Global Infiltration Campaign:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible







 

« Traditional Cyber Insurance Isn’t Built For AI-Driven Attacks
AI Uncovers A Cause Of Alzheimer’s Disease »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CERTuy

CERTuy

CERTuy is the national Computer Emergency Response Team for Uruguay.

National Cybersecurity and Communications Integration Center (NCCIC) - USA

National Cybersecurity and Communications Integration Center (NCCIC) - USA

NCCIC is a cyber situational awareness, incident response, and management center for the US Government, intelligence community, and law enforcement.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

Cyversity

Cyversity

Cyversity's mission (formerly ICMCP) is the consistent representation of women and underrepresented minorities in the cybersecurity industry.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

GK8

GK8

GK8 is a cyber security company that offers a high security custodian technology for managing and safeguarding digital assets. Secure, Compliant and Practical.

DCX Technology

DCX Technology

Recognized as a leader in security services, DXC Technology help clients prevent potential attack pathways, reduce cyber risk and improve threat detection and incident response.

PhishFirewall

PhishFirewall

PhishFirewall is an advanced AI-driven CyberSecurity Awareness Education, Threat Emulation, and Human Security Analytics Platform.

Druva

Druva

Druva is the industry’s leading SaaS platform for data resiliency, and the only vendor to ensure data protection across the most common data risks backed by a $10m guarantee.

Interactive

Interactive

Interactive are a leading Australian IT service provider with services in Cloud, Cyber Security, Data Centres, Business Continuity, Hardware Maintenance, Digital Workplace, and Networks.

Velum Labs

Velum Labs

Velum Labs is a cyber intelligence company that provides simple and non-intrusive, cloud and cyber intelligence solutions; built from a market-leading understanding of cyber-attack methodology.

Saffron Networks

Saffron Networks

Saffron Networks is an ISO-certified company. We assure our clients of reliable solutions, specifically with the Security landscape and Enterprise Networking.

Astran

Astran

At Astran, we revolutionize data security by introducing a groundbreaking solution for data confidentiality headaches.

Qi An Xin (QAX)

Qi An Xin (QAX)

QAX is a listed company based in China, and a leader in cybersecurity industry, providing new generation enterprise-level and national-level cybersecurity solutions.

Bestman Solutions

Bestman Solutions

As a specialist cyber security practice, we believe that people are an organisation’s most valuable asset. Success depends on hiring the right people, and this is where we come in.