Chinese Hackers Exploiting Ivanti Connect Secure Vulnerability 

Uploaded on 2025-04-28 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The software firm Ivanti has disclosed a critical vulnerability in several of its gateway products and the Mandiant Incident Response team has revealed that hackers, with links to China, have been exploiting the bug to deploy two newly discovered forms of malware.

Mandiant and VMware Product Security have found UNC3886, a highly advanced Chinese espionage group, has been exploiting CVE-2023-34048 as far back as late 2021. 

Now, Ivanti has confirmed  that a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways could lead to remote code execution.

Actively exploited software defects in Ivanti products are a consistent and recurring problem for the vendor’s customers, which have been subject to multiple attack sprees from various threat groups. Indeed, Ivanti has more than a dozen appearances in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since early 2024, not including CVE-2025-22457.  

“This vulnerability has been remediated in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug,” Ivanti published in its advisory.  

Ivanti said it was aware that customers were continuing to use Pulse Connect Secure 9.1x, which went end-of-life in December 2024, and that these devices were being actively exploited. “At the time of disclosure, we are not aware of any exploitation of Policy Secure or ZTA gateways, which have meaningfully reduced risk from this vulnerability,” Ivanti said.

The following product versions are currently vulnerable:

  • Ivanti Connect Secure 22.7R2.5 and prior versions.
  • Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior versions.
  • Ivanti Policy Secure 22.7R1.3 and prior versions.
  • ZTA Gateways 22.8R2 and prior versions

Mandiant has issued an update goes into more detail on the nature of the exploitation, which it believes is being carried out by Chinese advanced persistent threat UNC5221. “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” Mandiant Consulting’s chief technology officer, Charles Carmakal said “These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever.”

The two new malware that Mandiant has identified  as Trailblaze and Brushfire, which are being used in conjunction with the Spawn family of malware.

  • Trailblaze is a small in-memory dropper designed to fit within a shell script in Base64. Its function is to inject the Brushfire backdoor, which is capable of running further malicious shellcode.
  • SpawnSloth can disable local and remote logging, while SpawnSnare can extract an uncompressed Linux kernel image before encrypting it.

The Google Threat Intelligence Group has observed UNC5221 targeting similar vulnerabilities in the past, and its tooling matches that observed in the current campaign.“GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo,” Mandiant said in a blog post.

According to cyber security firm Rapid7, Ivanti customers “should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur”. “Ivanti’s advisory notes that ‘Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.’ Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results,” Rapid7 said.

Ivanti is working with Mandiant to provide users with additional information regarding this recently addressed vulnerability. They say the the vulnerability was been fixed and in ICS 22.7R2.6, released in February and that customers running this versions in accordance with the guidance provided have a "significantly reduced risk".

Ivanti  |   Google   |    CyberDaily  |    Cyberscoop   |    HackerNews   |   Infosecurity Magazine 

Image: @GoIvanti

You Might Also Read:

Chinese Hackers Undertaking A Global Infiltration Campaign:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible







 

« Traditional Cyber Insurance Isn’t Built For AI-Driven Attacks
AI Uncovers A Cause Of Alzheimer’s Disease »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

SealPath

SealPath

SealPath enables companies to protect and control their documents wherever they are: In their PC, in their corporate network, on a partner’s network, in the cloud.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Truepic

Truepic

Truepic provides technologies that prevent fraud, identity theft, misinformation, and disinformation caused by generative, manipulated, or deepfake digital content.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

CyberDegrees.org

CyberDegrees.org

CyberDegrees.org aims to provide top-notch information for students seeking Cyber Security education and career guidance.

Fudo Security

Fudo Security

Fudo Security is a leading provider of privileged access management and privileged session monitoring solutions.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Darkscope

Darkscope

Darkscope is an award-winning personalised cyber intelligence service provider. Our cutting-edge AI and Deep Artificial Neural Networks lead the world of cyber intelligence solutions.

MyCISO

MyCISO

MyCISO is the World’s first SaaS application that will vastly simplify security management for all.

ASPIA InfoTech

ASPIA InfoTech

ASPIA Infotech is a leading Information and cybersecurity organization focused on innovative approaches to avert targeted attacks.

Vigilant Ops

Vigilant Ops

Vigilant Ops is a leader in Software Bill of Materials (SBOM) Automation. A proactive approach to cybersecurity with continuous vulnerability monitoring.

NST Cyber

NST Cyber

NST Cyber provides comprehensive Threat Exposure Management to Global banks and Forbes 2000 companies.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.

Runtime Ventures

Runtime Ventures

Runtime Ventures focuses on seed and pre-seed stage cybersecurity investments. We love to work with ambitious founders building the future of the secure enterprise.