Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along with the previously known SPAWN ecosystem. The suspected China-nexus espionage actor UNC5221 is believed to be behind the attacks. Post-exploitation activities include the use of a shell script dropper, deployment of various malware components, and attempts to evade detection by modifying the Integrity Checker Tool. Organizations are urged to immediately patch their systems and monitor for suspicious activity.
OPENCTI LABELS :
espionage,vpn,remote code execution,zero-day,edge devices,buffer overflow,china-nexus,spawnsloth,brushfire,spawnsnare,trailblaze,ivanti connect secure,spawnwave,cve-2025-22457
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)