Ivanti has released critical patches for two zero-day vulnerabilities (CVE-2025-22457 and CVE-2025-0282) in its Connect Secure (ICS), Policy Secure, and ZTA gateways, which were actively exploited by the China-linked threat actor UNC5221 since mid-March 2025. The flaws, both stack-based buffer overflows, allowed unauthenticated remote code execution (RCE) and were misdiagnosed initially as non-exploitable. Mandiant confirmed the deployment of malware families like TRAILBLAZE, BRUSHFIRE, and SPAWN variants in targeted attacks1.
Summary for CISOs
The vulnerabilities affect ICS versions 22.7R2.5 and earlier, with patches delayed for Policy Secure/ZTA until April 2025. Shadowserver detected over 900 unpatched instances as of January 2025, down from 2,000+. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog, urging immediate action2.
- CVEs: CVE-2025-22457 (Critical), CVE-2025-0282 (Exploited since December 2024)
- APT: UNC5221 linked to credential theft and lateral movement
- Mitigation: Upgrade to ICS 22.7R2.6, factory reset compromised devices, monitor Integrity Checker Tool logs
Technical Details
The buffer overflow in CVE-2025-22457 was initially misclassified by Ivanti’s internal scans, delaying patch development. Exploitation involves sending crafted requests to the VPN’s web component, triggering arbitrary code execution. Mandiant’s YARA rules detect BRUSHFIRE backdoor traffic, which uses TLS certificate anomalies for C2 communication3.
CVE-2025-0282, disclosed in January 2025, shares similarities with historical ICS flaws like CVE-2023-46805. UNC5221 leveraged both vulnerabilities to deploy Resurge/SpawnChimera malware, which evades Ivanti’s Integrity Checker Tool (ICT). Shadowserver’s scans reveal persistent targeting of energy and government sectors, particularly in Guam4.
Detection and Mitigation
Ivanti recommends the following steps for affected organizations:
- Apply ICS 22.7R2.6 patches immediately; Policy Secure/ZTA patches are expected by April 21, 2025.
- Factory reset compromised devices before re-deployment to remove persistent malware.
- Monitor ICT logs for web server crashes or unexpected core dumps, indicative of exploitation attempts.
CISA’s Emergency Directive ED 25-03 mandates federal agencies to mitigate within 48 hours. AccuKnox’s zero-trust report highlights micro-segmentation as a critical defense against lateral movement post-exploitation5.
Relevance to Security Teams
Red teams should test edge devices for similar buffer overflow conditions using fuzzing tools like AFL++. Blue teams must prioritize patch management for VPN appliances, given UNC5221’s focus on “battlespace preparation” tactics. SOC analysts can use Censys scan data to identify anomalous TLS certificates linked to BRUSHFIRE C2 servers6.
Conclusion
The Ivanti zero-days underscore the risks of delayed patch cycles for edge devices. Organizations should treat VPN gateways as high-value targets, given their role in network access. Future advisories from Ivanti’s Patch Tuesday webinars will address additional CVEs in April 20257.
References
- [1] Mandiant Threat Brief, Google Cloud, 2025.
- [2] CISA KEV Catalog, January 2025.
- [3] HelpNetSecurity, April 2025.
- [4] Shadowserver Dashboard, January 2025.
- [5] AccuKnox Zero Trust Report, 2025.
- [6] Censys Scan Data, 2025.
- [7] Ivanti Patch Tuesday Webinar, March 2025.
