- Ivanti recently patched a critical severity flaw in Connect Secure VPN
- Mandiant says the bug is being used in the wild by Chinese actors
- Two new malware strains were discovered
Ivanti has recently patched a critical severity vulnerability found in its Connect Secure (ICS) VPN appliances which was allegedly being abused in the wild by Chinese state-sponsored actors.
Researchers at Mandiant published a new security advisory stating Ivanti discovered and fixed a buffer overflow vulnerability in ICS 9.X (unsupported) and 22.7R2.5 and earlier versions. The vulnerability is tracked as CVE-2025-22457, and carries a severity score of 9.0/10 (critical).
At first, no one was aware of the bug’s disruptive potential, Mandiant explained, but later - evidence of remote code execution (RCE) attacks were discovered.
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Cyber-espionage
In these attacks, allegedly conducted by a threat actor tracked as UNC5221, two new malware variants were used: TRAILBLAZE, and BUSHFIRE.
The former is an in-memory only dropper, while the latter is a passive backdoor. Furthermore, the researchers saw cybercriminals dropping malware from the SPAWN ecosystem, as well.
UNC5221 is a known, China-nexus espionage actor that was observed, on multiple occasions, targeting vulnerable Ivanti instances. For example, in early January this year, Ivanti said it saw two flaws - CVE-2025-0282 and CVE-2025-0283 - being abused by this threat actor. Both were impacting Ivanti Connect Secure VPN appliances.
In these attacks, SPAWN variants were also used.
Mandiant says that this CVE was probably first used in mid-March 2025, a month after the patch was released.
“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the researchers said.
Ivanti has released fixes for the exploited vulnerabilities and its customers are advised to upgrade their endpoints without hesitation, since the flaws are being actively targeted.
“Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments," Daniel Spicer, Ivanti CSO, told TechRadar Pro in a written statement.
"To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”
You might also like
- Ivanti warns another critical security flaw is being attacked
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
from Latest from TechRadar US in News,opinion https://ift.tt/9UzviIw
Aucun commentaire: