07.04.2025
2 min
622
CISA warns of active use of a new vulnerability CVE-2025-22457 in Ivanti products by hackers associated with China. Despite the released patch, attacks have even been carried out on government customers, and devices that are no longer supported by the manufacturer have been affected.
The vulnerability affected Ivanti Connect Secure, Policy Secure and ZTA Gateways, which are actively used by government agencies and large organizations to ensure secure remote access. The attack is attributed to the UNC5221 group, which, according to Mandiant and Google Threat Intelligence Group, is engaged in espionage operations for China.
The hackers used the bug to deploy a complex malware ecosystem known as Spawn, as well as the Brushfire backdoor. The first cases of exploitation were recorded in mid-March.
Ivanti stressed that the problem mainly affects older, no longer supported devices, and advised customers to upgrade to updated platforms. Affected users are advised to perform a full reset of the device after checking it through a special integrity checker tool.
This is not the first incident related to Ivanti products. In January, hackers from the same group already used CVE-2025-0282, and earlier – CVE-2023-46805 and CVE-2024-21887. UNC5221 specializes in attacks on edge devices, using the infrastructure of compromised routers and servers (**Cyberoam**, QNAP, **ASUS**) to hide their actions. The vulnerability was initially considered unexploited, but later sophisticated techniques for its use were confirmed.
Ivanti once again warns customers against using outdated equipment. Experts urge industry to independently verify risks and effectiveness of patches. Experts warn: vulnerabilities in critical devices remain the main vector of attacks by state groups.
