Only classified as a bug: Critical security vulnerability in Ivanti ICS attacked
Ivanti has misjudged a bug in the VPN software Connect Secure. This is a security vulnerability that is under attack.
(Image: Erstellt mit KI in Bing Creator von heise online / dmk)
The developers initially misjudged a problem in the VPN software Connect Secure (ICS) as a simple bug. Now it turns out that it is a veritable, critical security vulnerability that cybercriminals already have on their radar and are abusing to attack vulnerable systems.
In a security announcement, Ivanti warns of the observed attacks on the vulnerability and acknowledges the initial misjudgement. It is therefore a stack-based buffer overflow that has not been explained in detail. Attackers can misuse it without prior authentication from the network to inject and execute malicious code(CVE-2025-22457, CVSS 9.0, risk"critical").
Attacks originate from China
Google's IT security subsidiary Mandiant has investigated the attacks on the security vulnerability observed since mid-March together with Ivanti. According to Mandiant's analysis, they can be traced back to a cyber gang from China. This gang installed a memory-only dropper called "Trailblaze" and a passive backdoor called "Brushfire" on the ICS instances. The IT researchers also observed the distribution of malware from the "Spawn" ecosystem, which is assigned to the APT group UNC5221, which is of Chinese origin.
Videos by heise
Ivanti openly admits the original misjudgment: "This vulnerability was fully patched in Ivanti Connect Secure 22.7R2.6 (released on February 11, 2025) and originally identified as a bug in the product". The company also explains how it came about: "The vulnerability is a buffer overflow limited to the dot and number characters. The programmers have assessed that the vulnerability cannot be exploited to inject and execute code remotely and does not meet the requirements for a denial of service." Ivanti and IT security partners have now established that abuse is possible with clever methods and has already taken place in the wild.
The manufacturer also explains: "We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and end-of-support Pulse Connect Secure 9.1x appliances were exploited at the time of publication of the vulnerability information." Ivanti recommends that all customers ensure that they deploy Ivanti Connect Secure 22.7R2.6, which seals the vulnerability, as soon as possible.
Ivanti Connect Secure 22.7R2.5 and previous versions, Pulse Connect Secure 9.1R18.9 and older (End of Service reached), Ivanti Policy Secure 22.7R1.3 and previous versions and ZTA Gateways 22.8R2 and older versions are affected. The bug has been fixed in Ivanti Connect Secure 22.7R2.6 –, which has been available since February and will also serve as a security fix for Pulse Connect Secure –, as well as Ivanti Policy Secure 22.7R1.4 (scheduled for April 21) and ZTA Gateways 22.8R2.2 (expected on April 19).
On Monday of this week, the US IT security authority CISA published the results of an analysis. It examined the malware installed during ongoing attacks on a vulnerability in Ivanti's ICS that has been closed with software updates since January.
(dmk)
