Ivanti has disclosed a critical security flaw affecting its Connect Secure product, now known to be actively exploited in the wild. This vulnerability, tracked as CVE-2025-22457 and rated at a CVSS score of 9.0, is a stack-based buffer overflow that attackers can exploit to execute arbitrary code on affected systems.
Overview of the Vulnerability
According to Ivanti, versions of the following products are affected:
Ivanti has acknowledged a limited number of exploited connections on their Connect Secure and Pulse Connect Secure appliances, without evidence of abuse on Policy Secure or ZTA gateways.
Recommendations for Users
Customers are advised to monitor external ICT systems for unusual web server crashes. If any signs of compromise are found, a factory reset and reinstallation of the updated version are recommended.
Malware Delivery Mechanism
Google’s Mandiant has reported that the exploitation of CVE-2025-22457 was tracked back to mid-March 2025, enabling threat actors to deploy an in-memory dropper known as TRAILBLAZE. This tactic injects a passive backdoor, referred to as BRUSHFIRE, directly into the memory of running web processes, purposefully designed to evade detection.
Understanding the SPAWN Malware Ecosystem
The SPAWN suite includes tools that facilitate malicious activities, such as:
Attribution of the SPAWN malware ecosystem has been connected to UNC5221, a China-nexus adversary with a history of exploiting zero-days in Ivanti products.
Final Thoughts
Chekcing and ensuring that systems are patched to protect against potential threats, like TRAILBLAZE and BRUSHFIRE, is crucial for stakeholders relying on Ivanti solutions. Understanding your system’s vulnerabilities and promptly addressing them is key in minimizing risk.
For more information on protecting your digital assets, consider our tailored security solutions.
EN 
BG