Ivanti Connect Secure CVE-2025-22457: Another Critical Zero-Day, Same Product

On April 3, 2025, Ivanti disclosed CVE-2025-22457, a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Mandiant and Google's Threat Intelligence team confirmed that the vulnerability had been exploited as a zero-day by UNC5221, the same Chinese nexus threat actor that exploited CVE-2025-0282 in January 2025 and the 2024 Ivanti zero-days before that.

The vulnerability had a CVSS score of 9.0 and affected Ivanti Connect Secure versions before 22.7R2.6. What made this disclosure particularly notable was that a patch had actually been released in February 2025 (version 22.7R2.6), but the vulnerability was initially assessed as a low-risk bug rather than a security vulnerability. Ivanti did not believe it was remotely exploitable at the time of the February patch.

UNC5221 apparently disagreed.

Timeline of Events

The timeline tells a story about the gap between vulnerability assessment and real-world exploitability:

• February 11, 2025: Ivanti releases Connect Secure version 22.7R2.6, which included a fix for what was classified as a product bug, not a security vulnerability. The buffer overflow was considered limited to a denial-of-service condition because the overflow was restricted to periods and numbers, which was believed to prevent meaningful code execution.
• Mid-March 2025: Mandiant detects exploitation of the vulnerability by UNC5221. The threat actor had reverse-engineered the February patch, identified the underlying buffer overflow, and developed an exploit that achieved remote code execution despite the character restrictions.
• April 3, 2025: Ivanti publishes a security advisory reclassifying the issue as CVE-2025-22457 with a critical severity rating.

The attackers had approximately six weeks between the patch release and the security advisory. During that window, they exploited the vulnerability against organizations that had not yet applied the February update, which many had not prioritized because it was classified as a routine product update rather than a security patch.

The Exploitation

UNC5221 deployed the same SPAWN malware ecosystem observed in the January CVE-2025-0282 exploitation:

• SPAWNSLOTH: Log tampering utility that modifies and deletes log entries to cover tracks.
• SPAWNSNAIL: SSH backdoor providing persistent access independent of the VPN appliance's normal authentication.
• SPAWNMOLE: Tunnel utility for proxying traffic through the compromised appliance.
• SPAWNANT: Installation component that patches the Integrity Checker Tool to hide the other components.

In addition to the SPAWN tools, Mandiant observed new malware families:

• TRAILBLAZE: An in-memory dropper designed to inject the BRUSHFIRE backdoor into running processes without writing to disk.
• BRUSHFIRE: A passive backdoor that hooks SSL functions to decrypt and inspect incoming traffic, activating when it detects attacker-controlled commands within legitimate-looking HTTPS connections.

The use of in-memory-only components (TRAILBLAZE) and passive traffic inspection (BRUSHFIRE) demonstrated an evolution in UNC5221's tradecraft, making detection significantly harder than previous campaigns.

The Patch Gap Problem

CVE-2025-22457 illustrated a dangerous scenario: a vulnerability that is patched but not recognized as security-relevant. This happens more often than the industry acknowledges.

When vendors release patches, they must decide whether each fixed bug warrants a CVE and a security advisory. This assessment is based on the vendor's understanding of exploitability at the time. If the vendor concludes that a bug is not exploitable for code execution, it may be classified as a reliability issue and fixed in a routine update.

But the vendor's exploitability assessment can be wrong. Sophisticated attackers, particularly nation-state groups with deep reverse engineering capabilities, can often find ways to exploit bugs that the vendor deemed unexploitable. The character restriction (periods and numbers only) in the CVE-2025-22457 buffer overflow would stop most attackers, but not a determined group with months of research time and specific incentive to target Ivanti appliances.

This creates a perverse incentive structure:

• Vendors are incentivized to downplay bug severity to avoid the reputational cost of frequent security advisories.
• Customers prioritize patches based on vendor severity ratings, deprioritizing updates that are not flagged as security-relevant.
• Attackers reverse-engineer all patches, security-flagged or not, looking for exploitable bugs that were misclassified.

The result is that some of the most dangerous vulnerabilities are the ones hiding in "routine" updates.

Recommendations

For organizations running Ivanti Connect Secure:

1. Update to version 22.7R2.6 or later immediately if you have not already.
2. Run Ivanti's updated Integrity Checker Tool, but remember that sophisticated actors may have subverted it (as UNC5221 has demonstrated previously).
3. Monitor for SPAWN, TRAILBLAZE, and BRUSHFIRE indicators published by Mandiant.
4. Consider factory resetting appliances before updating if you suspect compromise.
5. Treat all Ivanti patches as potentially security-relevant, regardless of the vendor's initial classification.

More broadly:

Patch everything promptly, not just security updates. The distinction between "security patch" and "bug fix" is a vendor assessment that may be wrong. If you can apply a patch, apply it.

Plan your Ivanti exit strategy. Three rounds of zero-day exploitation in 15 months by the same threat actor suggests a systemic problem that patches alone cannot solve. Evaluate alternatives and migration timelines.

How Safeguard.sh Helps

Safeguard.sh tracks your complete software inventory and correlates it against vulnerability databases in real time. When CVEs are reclassified or new exploitation is discovered for previously patched bugs, Safeguard updates your risk profile immediately.

For the specific scenario of CVE-2025-22457 -- where a patch existed before the CVE was assigned -- Safeguard's version tracking would show which systems were running the pre-patch firmware, enabling rapid identification of vulnerable appliances regardless of the vendor's initial severity classification.

Safeguard's policy gates can enforce aggressive patching timelines for all updates to critical infrastructure, not just those flagged as security patches. This approach eliminates the risk of misclassified vulnerabilities slipping through your remediation process.