Ivanti has launched safety updates to patch a important Join Safe distant code execution vulnerability exploited by a China-linked espionage actor to deploy malware since not less than mid-March 2025.
Tracked as CVE-2025-22457, this important safety flaw is because of a stack-based buffer overflow weak spot. It impacts Pulse Join Safe 9.1x (which reached end-of-support in December), Ivanti Join Safe 22.7R2.5 and earlier, Coverage Safe, and Neurons for ZTA gateways.
In keeping with Ivanti’s advisory, distant risk actors can exploit it in high-complexity assaults that do not require authentication or person interplay. The corporate patched the vulnerability on February 11, 2025, with the discharge of Ivanti Join Safe 22.7R2.6 after initially tagging it as a product bug.
“The vulnerability is a buffer overflow with characters restricted to intervals and numbers, it was evaluated and decided to not be exploitable as distant code execution and did not meet the necessities of denial of service,” Ivanti mentioned on Thursday.
“Nonetheless, Ivanti and our safety companions have now realized the vulnerability is exploitable by way of subtle means and have recognized proof of energetic exploitation within the wild. We encourage all prospects to make sure they’re working Ivanti Join Safe 22.7R2.6 as quickly as potential, which remediates the vulnerability.”
Whereas safety patches for ZTA and Ivanti Coverage Safe gateways are nonetheless in growth and can be launched on April 19 and April 21, respectively, Ivanti mentioned that it is “not conscious of any exploitation” focusing on these gateways, which even have what “meaningfully lowered danger from this vulnerability.”
Ivanti additionally suggested admins to observe their exterior Integrity Checker Instrument (ICT) and search for internet server crashes. If any indicators of compromise are found, admins ought to manufacturing unit reset impacted home equipment and put them again in manufacturing utilizing software program model 22.7R2.6.
| Product Title | Affected Model(s) | Resolved Model(s) | Patch Availability |
| Ivanti Join Safe | 22.7R2.5 and prior | 22.7R2.6 (launched February 2025) | Obtain Portal |
| Pulse Join Safe (EoS) | 9.1R18.9 and prior | 22.7R2.6 | Contact Ivanti emigrate |
| Ivanti Coverage Safe | 22.7R1.3 and prior | 22.7R1.4 | April 21 |
| ZTA Gateways | 22.8R2 and prior | 22.8R2.2 | April 19 |
Assaults linked to UNC5221 Chinese language-nexus cyberspies
Whereas Ivanti has but to reveal extra particulars relating to CVE-2025-22457 assaults, Mandiant and Google Menace Intelligence Group (GTIG) safety researchers revealed right this moment {that a} suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since not less than mid-March 2025.
“Following profitable exploitation, we noticed the deployment of two newly recognized malware households, the TRAILBLAZE in-memory solely dropper and the BRUSHFIRE passive backdoor. Moreover, deployment of the beforehand reported SPAWN ecosystem of malware attributed to UNC5221 was additionally noticed,” Mandiant mentioned.
“We assess it’s seemingly the risk actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered by way of a sophisticated course of, it was potential to take advantage of 22.7R2.5 and earlier to realize distant code execution.”
UNC5221 is thought for focusing on zero-day vulnerabilities in community edge gadgets since 2023, together with varied Ivanti and NetScaler home equipment. Most not too long ago, the Chinese language hackers exploited CVE-2025-0282, one other Ivanti Join Safe buffer overflow, to drop new Dryhook and Phasejam malware on compromised VPN home equipment.
One 12 months in the past, the hacking group additionally chained two Join Safe and Coverage Safe zero-days (CVE-2023-46805 and CVE-2024-21887) to remotely execute arbitrary instructions on focused ICS VPN and IPS community entry management (NAC) home equipment. Considered one of their victims was the MITRE Company, which disclosed the breach in April 2024.
Menace intelligence firm Volexity mentioned in January 2024 that UNC5221 had backdoored over 2,100 Ivanti home equipment utilizing the GIFTEDVISITOR webshell in assaults chaining the 2 zero days.
As CISA and the FBI warned in January 2025, attackers are nonetheless breaching susceptible networks utilizing exploits focusing on Ivanti Cloud Service Home equipment (CSA) safety vulnerabilities patched since September. A number of different Ivanti safety flaws have been exploited as zero-days during the last 12 months in opposition to the corporate’s VPN home equipment and ICS, IPS, and ZTA gateways.
Replace April 03, 14:16 EDT: Ivanti CSO Daniel Spicer despatched the next assertion after the story was printed.
Community safety gadgets and edge gadgets particularly are a spotlight of subtle and extremely persistent risk actors, and Ivanti is dedicated to offering info to defenders to make sure they will take each potential step to safe their environments. To this finish, along with offering an advisory on to prospects, Ivanti labored carefully with its associate Mandiant to offer further info relating to this not too long ago addressed vulnerability. Importantly, this vulnerability was mounted in ICS 22.7R2.6, launched February 11, 2025, and prospects working supported variations on their home equipment and in accordance with the steerage offered by Ivanti have a considerably lowered danger. Ivanti’s Integrity Checker Instrument (ICT) has been profitable in detecting potential compromise on a restricted variety of prospects working ICS 9.X (finish of life) and 22.7R2.5 and earlier variations.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and tips on how to defend in opposition to them.
