UNC5221 is the Mandiant designation for a China-nexus cluster that has turned Ivanti edge appliances into a persistent espionage platform from late 2023 through 2026. Unlike ransomware crews that burn their access for leverage, UNC5221 has repeatedly demonstrated discipline: they pick a perimeter device category, invest in custom tooling, chain zero-days against it, and stay resident for months. The Ivanti Connect Secure (ICS) and Policy Secure story is the clearest public case study of that pattern we have, and the lessons have broad application to any organization with edge appliances terminating trust.
This post is a consolidated defensive read of UNC5221's Ivanti campaign across multiple disclosure cycles, pulling from Mandiant's M-Trends reports, Volexity's original discovery post, CISA's Emergency Directive 24-01, Ivanti's advisories, and follow-on research from JPCERT/CC, Orange Cyberdefense, and Google's Threat Analysis Group.
How Did the Campaign Begin?
Volexity disclosed on January 10, 2024 that it had observed active exploitation of two zero-day vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure starting in early December 2023. CVE-2023-46805 was an authentication bypass in the web component, and CVE-2024-21887 was a command injection vulnerability in multiple web components. Chained together, they allowed unauthenticated remote code execution as root on the appliance. Mandiant attributed the initial exploitation to UNC5221 and identified five distinct malware families associated with the cluster: ZIPLINE, THINSPOOL, WIREFIRE, LIGHTWIRE, and WARPWIRE.
CISA issued Emergency Directive 24-01 on January 19, 2024, directing federal civilian agencies to apply mitigations, and updated the directive on February 2, 2024 after Ivanti's mitigation was itself found to be bypassable. CVE-2024-21888 and CVE-2024-21893, disclosed January 31, 2024, extended the chain. By March, Ivanti had disclosed additional vulnerabilities in the same product family, and Mandiant had documented UNC5221 activity continuing despite patches because the attacker had established persistence that survived factory resets on certain firmware lines.
What Made the Persistence So Sticky?
Two specific tradecraft choices made UNC5221's Ivanti foothold unusually durable. First, the actor tampered with the appliance's integrity checker tool (ICT) to report clean on compromised systems. Ivanti's ICT is the customer-facing mechanism for verifying device integrity; subverting it meant that organizations running the recommended post-exploitation check would receive false assurance. Mandiant's February 2024 follow-up described UNC5221 patching the ICT binary in-place, with the patched version signed by the attacker's modifications surviving a standard upgrade path.
Second, UNC5221 deployed backdoors that survived the factory-reset procedure Ivanti recommended. The BUSHWALK backdoor, documented by Mandiant in CTI report MTT-2024-006, was written to locations that Ivanti's reset did not wipe. Customers who followed Ivanti's public remediation guidance in January 2024 could remain compromised, and some did for months. This is an important detail: the gap between vendor remediation instructions and actual clean state is frequently where advanced actors live.
Which CVEs Formed the Full Chain?
The public CVE list for the campaign, as of early 2026, includes at minimum: CVE-2023-46805 (auth bypass), CVE-2024-21887 (command injection), CVE-2024-21888 (privilege escalation), CVE-2024-21893 (SSRF in SAML component), CVE-2024-22024 (XXE in SAML component), and CVE-2025-0282 (stack buffer overflow in IF-T/TLS, disclosed January 2025, exploited as zero-day in December 2024). Ivanti also disclosed CVE-2025-22457 in April 2025, another buffer overflow enabling unauthenticated RCE, with Mandiant confirming in-the-wild exploitation by UNC5221 prior to the patch.
The pattern across three product-family zero-day cycles is the same: UNC5221 finds a pre-authentication memory or injection primitive, pairs it with a post-authentication privilege primitive, and lands a persistent implant that survives official remediation. Every defense assumption based on "the latest firmware is clean" has been violated at least once in the public record.
What Tooling Did UNC5221 Deploy?
Mandiant's public tracking lists at least fifteen distinct malware families across the campaign lifespan. The notable ones include SPAWNMOLE, a tunneler injected into the web process; SPAWNSNAIL, an SSH backdoor; SPAWNSLOTH, a log tampering utility; and SPAWNANT, an installer that ensures persistence across upgrades. The SPAWN family is notable for its modularity; JPCERT/CC's 2024 analysis described SPAWNANT as designed to inject itself into the dsmdm upgrade process, enabling persistence that survives firmware updates.
Separately, CISA's AA24-038A joint advisory in February 2024 documented "webshell" deployment from UNC5221 campaigns, along with credential harvesting from the appliance's memory, API token theft, and pivoting via the appliance's trust relationship with internal Active Directory. The appliance is a high-trust node on most networks, which is why terminating-device compromises create such severe downstream exposure.
Why Do Edge Appliances Keep Getting Owned?
Edge appliances share a set of architectural properties that make them attractive zero-day targets. They must be reachable from the internet, because that is their job. They typically run proprietary operating systems with limited endpoint detection coverage. They hold privileged credentials, including for LDAP, RADIUS, Active Directory, and SSO integrations. They are often running long-lived kernels with historical C dependencies, which yields fresh memory-safety bugs for any researcher willing to look. And they are sold on multi-year lifecycles with firmware update cadences measured in months, not days.
Ivanti is not alone in this pattern. 2024 and 2025 saw similar campaigns against Fortinet FortiManager (CVE-2024-47575, exploited by UNC5820 per Mandiant), Palo Alto Networks PAN-OS (CVE-2024-3400, exploited by Storm-0933), Cisco ASA (CVE-2024-20353 and CVE-2024-20359, the ArcaneDoor campaign attributed to UAT4356), and Check Point (CVE-2024-24919). Every major enterprise firewall and VPN vendor has shipped at least one in-the-wild zero-day in the 24-month window that includes UNC5221's Ivanti work.
What Detection Strategies Have Actually Worked?
Detection strategies that worked during the Ivanti campaign, based on incident write-ups from Volexity, Mandiant, and several customer-led investigations published on GitHub security-research repositories, clustered around out-of-band telemetry. Network captures showing unusual outbound HTTP POSTs from the appliance to uncommon destinations were a high-fidelity signal. DNS logs showing the appliance resolving names outside its normal update-checker patterns were another. Any authentication activity originating from the appliance's IP to internal systems, particularly against domain controllers, should be treated as suspicious because legitimate operation rarely requires it.
The common theme is that the appliance's own logs and integrity checker were unreliable. UNC5221 patched those. Detections built entirely on artifacts the compromised device provides will fail against a determined in-device actor. Out-of-band collectors, sidecar network taps, and cross-correlation with upstream identity telemetry are the path that held up across the campaign.
How Safeguard.sh Helps
The Ivanti story is a supply-chain story as much as a vulnerability-management story. Every customer of Ivanti inherited the appliance's firmware dependency graph, its build pipeline, its integrity checker, and whatever trust relationships the appliance held inside their environment. Safeguard.sh's reachability analysis catalogs the components your edge appliances run and traces which of your services call into them, so you know whose identity and data sit behind that device. Griffin AI triages emerging advisories like the Ivanti CVE chain against your specific deployment and flags not just the direct CVE but the transitive exposure through the appliance's trust graph.
Eagle watches for the moment a new edge-appliance advisory lands and begins continuous scanning against the affected versions in your inventory immediately, enforcing guardrails that block vulnerable firmware from remaining in production. Our 100-level deep dependency tracing covers the libraries your appliance vendor embeds, because vendor SBOMs are often incomplete. Container self-healing applies the same logic to any sidecar or adjacent containerized service that talks to the appliance. For the edge-appliance category that UNC5221 has made its home, Safeguard.sh gives you continuous visibility that does not depend on the device's own self-reported integrity.