A suspected Chinese advanced persistent threat (APT) group has been actively exploiting a critical flaw in Ivanti’s Connect Secure VPN appliances. The US software company had failed to properly patch and document the defect earlier.
The vulnerability, tagged as CVE-2025-22457, has a high CSS severity score of 9/10 but wasn’t closed back in February when it was originally patched because it was triaged as a denial-of-service “product bug.”
But Ivanti now says it found out that the problem was actually more than just a software crashing issue, and that users are indeed exposed to remote hacker attacks.
“Successful exploitation could lead to remote code execution,” Ivanti said in a new bulletin.
“We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure.”
The emergency guidance landed on the same day Google’s Mandiant threat intelligence team said it had seen “evidence of active exploitation in the wild” against targeted Ivanti devices.
“The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025,” Mandiant reported, explaining that a China-nexus threat actor used the bug to deploy an in-memory-only dropper and a passive backdoor.
The APT, currently tracked by Mandiant as UNC5221, was previously seen conducting zero-day exploitation of Netscaler edge devices dating back to 2023.
According to Mandiant, even though a patch for CVE-2025-22457 was indeed released in February, the threat actor probably studied the said patch and uncovered that it was difficult but possible to exploit the vulnerability and “achieve remote code execution.”
“This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally,” said Mandiant.
Network security devices and edge devices, in particular, are a focus of sophisticated and highly persistent threat actors. Ivanti confirmed it worked closely with Mandiant to provide additional information regarding this vulnerability. The defect is now fixed.
"Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11th, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions," Daniel Spicer, Ivanti CSO, told Cybernews.
Researchers recommend organizations immediately apply the available patch by upgrading Ivanti Connect Secure appliances to version 22.7R2.6 or later to address CVE-2025-22457.
Additionally, organizations should use the external and internal Integrity Checker Tool and contact Ivanti Support if suspicious activity is identified.
Your email address will not be published. Required fields are markedmarked