Critical Ivanti Flaw Was Actively Used to Spread the BRUSHFIRE and TRAILBLAZE Malware

Critical Ivanti Flaw Was Actively Used to Spread the BRUSHFIRE and TRAILBLAZE Malware

Ivanti has revealed information on a significant security flaw in its Connect Secure that has been fixed and is currently being actively exploited in the wild.

With a CVSS score of 9.0, the vulnerability, identified as CVE-2025-22457, relates to a stack-based buffer overflow scenario that might be used to run arbitrary code on compromised systems.

“A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution,” Ivanti stated in a Thursday advisory.

Several products and versions are affected by the flaw:

• Version 22.7R2.6 (patch published on February 11, 2025) fixes issues with Ivanti Connect Secure (versions 22.7R2.5 and before).
• Version 22.7R2.6 fixes the issue with Pulse Connect Secure (versions 9.1R18.9 and before); as the device is no longer supported as of December 31, 2024, contact Ivanti to migrate.
• Version 22.7R1.4 (which will be available on April 21) fixes the issue with Ivanti Policy Secure (versions 22.7R1.3 and earlier).
• Version 22.8R2.2 (to be released on April 19) fixes issues with ZTA Gateways (versions 22.8R2 and earlier).

According to the firm, a “limited number of customers” have had their Connect Secure and Pulse Connect Secure end-of-support appliances compromised. There is no proof that ZTA or Policy Secure gateways have been abused in the field.

“Customers ought to track their external ICT and search for web server crashes,” Ivanti stated. “If your ICT result indicates symptoms of compromise, you ought to execute a complete factory reset on the device and then put the device back into operation using version 22.7R2.6.”

It’s important to note that several significant vulnerabilities (CVE-2024-38657, CVE-2025-22467, and CVE-2024-10644) that might allow a remote authenticated attacker to write arbitrary files and run arbitrary code were also fixed in Connect Secure version 22.7R2.6.

In a separate bulletin, Google-owned Mandiant stated that it had seen proof of CVE-2025-22457 being exploited in mid-March 2025, which enabled the threat actors to distribute the SPAWN malware suite, a passive backdoor dubbed BRUSHFIRE, and an in-memory dropper named TRAILBLAZE.

In order to avoid detection, the attack chain basically uses a multi-stage shell script dropper to execute TRAILBLAZE, which then injects BRUSHFIRE straight into the memory of an active browser process.  Credential theft, additional network penetration, and data exfiltration may be made possible by the exploitation activity’s goal of creating persistent backdoor access on compromised appliances.

The SPAWN malware ecosystem includes the following components:

• When the SPAWNSNAIL backdoor is active, the log tampering tool SPAWNSLOTH can turn off both logging and log forwarding to an external sys log server.
• SPAWNSNARE is a C-based application that uses AES encryption to extract the uncompressed Linux kernel image (vmlinux) into a file.
• Combining many aspects of SPAWN, SPAWNWAVE is an enhanced form of SPAWNANT that overlaps with RESURGE and SPAWNCHIMERA.

Along with additional clusters including UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886, the use of SPAWN is ascribed to a China-nexus adversary identified as UNC5221, which has a history of taking advantage of zero-day vulnerabilities in Ivanti Connect Secure (ICS) devices.

According to the U.S. government, UNC5221 has also been evaluated to have similarities with threat groups like UTA0178, Silk Typhoon, and APT27. The threat intelligence company, however, informed The Hacker News that it lacks sufficient proof to validate this link on its own.

As per Dan Perez, China Mission Technical Lead, Google Threat Intelligence Group, “Mandiant tracks UNC5221 as a cluster of activity that has repeatedly exploited edge devices with zero-day vulnerabilities,” the journal reported.

“The government’s connection between this cluster and APT27 is believable, but we lack independent proof to support it.  We are unable to comment on Microsoft’s attribution for this behavior, which they call Silk Typhoon.

UNC5221 has used an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to conceal their true source during intrusion operations in addition to carrying out zero-day exploitation of CVE-2023-4966, which affects Citrix NetScaler devices. Microsoft also emphasized this feature early last month when describing Silk Typhoon’s most recent tradecraft.

The business also hypothesized that the threat actor probably examined Ivanti’s February patch and devised a method to take advantage of earlier iterations to accomplish remote code execution on unpatched systems.  This is the first time that UNC5221 has been linked to the N-day exploit of an Ivanti device security vulnerability.

“This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups,” stated Charles Carmakal, CTO at Mandiant Consulting.

“These actors will keep looking into security flaws and creating unique malware for business systems that don’t support EDR solutions.  China-nexus espionage actors are more proficient than ever, and their rate of cyber incursion activity is still rising.

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

READ MORE

Got a Right Swipe and A Perfect Match! Beware! Noida Businessman Duped of ₹6.5Cr in Dating Scam!

Google Fixes a Vulnerability in Quick Share that Allows Silent File Transfers Without Permission

About Author

Tahir

See author's posts