Unc5221’s Multi-Stage Compromise Of Ivanti Ics Via Cve-2025-22457

On April 3, 2025, Ivanti disclosed a critical vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure (ICS) VPN appliances. This vulnerability, a stack based buffer overflow in versions 22.7R2.5 and earlier, enables remote code execution (RCE) and has been actively exploited in the wild.

The attackers leveraged a sophisticated exploitation chain to deploy custom malware families including TRAILBLAZE, BRUSHFIRE, and components of the known SPAWN malware ecosystem. Mandiant and Ivanti strongly urge immediate patching and use of detection tools.

Severity Level: High

THREAT DETAILS

1. Vulnerability Details

• CVE ID: CVE-2025-22457
• CVSS Score: 9.0
• Description: A stack-based buffer overflow vulnerability allowing remote unauthenticated attackers to execute arbitrary code.
• Affected Products:

• Initial Perception: Initially categorized as low-risk DoS issue due to character limitations, later weaponized for RCE by reversing the patch.

2. Threat Actor: UNC5221

• Attribution: Suspected China-nexus espionage group
• Previous Activity: Known for CVE-2025-0282, CVE-2023-46805, CVE-2024-21887, and CVE-2023-4966 exploits targeting edge infrastructure
• Tactics:
  • Focus on edge appliances
  • Leverages both zero-day and n-day vulnerabilities
  • Operates through an obfuscation network of compromised QNAP, ASUS routers, and Cyberoam devices.

3. Exploitation

• Initial Access: Unauthenticated remote access via CVE-2025-22457. Exploitation targets the /home/bin/web process on ICS appliances
• Timeline: Mid-March 2025 First observed exploitation activity
• Post-Exploitation Actions:
  • a. Deployment of custom shell script dropper
  • b. Injection of TRAILBLAZE dropper and BRUSHFIRE passive backdoor
  • c. Tampering with Ivanti’s Integrity Checker Tool (ICT) for stealth
  • d. Deployment of additional malware from SPAWN ecosystem: SPAWNSLOTH, SPAWNSNARE, SPAWNWAVE

4. Shell Script Dropper

• Collects runtime information: PID, memory map, base addresses of web and libssl.so
• Writes data to: /tmp/.p, .m, .w, .s
• Drops and executes: /tmp/.i – The TRAILBLAZE in-memory dropper
• Cleans up: Deletes /tmp/ files and /data/var/cores for anti-forensics. Kills all child web processes

5. Malware Components Overview

Recommendations:

1. It is recommended that the organizations immediately apply the available patch by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457.
2. Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.
3. Additionally, organizations should use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance.
4. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/c1437b752a4bece143f3584eef40b00cb72f9281068bd1c235cf76f94d744024/iocs
• https://securityonline.info/cve-2025-22457-unc5221-exploits-ivanti-zero-day-flaw-to-deploy-trailblaze-and-brushfire-malware/
• https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
• https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.