Dive Brief:

• A significant stack-based buffer-overflow vulnerability that impacts multiple Ivanti products, CVE-2025-22457, was added to CISA's list of known exploited vulnerabilities on Friday. On April 3, Ivanti revealed it and cautioned that the vulnerability has been used in the wild.
• Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateway products are all impacted by the serious vulnerability. Ivanti has previously mislabeled the defect as a remotely exploitable product problem.
• Last week, Mandiant released data that described how a suspected Chinese nation-state threat group has been using CVE-2025-22457 in a cyber espionage campaign since mid-March. Ivanti Connect Secure VPN appliances were the only targets of the assaults.

Dive Insight:

• Ivanti said CVE-2025-22457 was exploited in attacks on Ivanti Connect Secure and end-of-support Pulse Connect Secure 9.1x appliances affecting a “limited number of customers.” The company said it was not aware of any exploitation against Ivanti Policy Secure instances or ZTA gateways.
• The critical vulnerability was initially fixed on Feb. 11 with the release of Ivanti Connect Secure (ICS) version 22.7R2.6. At the time, the software vendor had determined the flaw was exploitable in remote code execution attacks. “However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild,” the company said in the advisory.
• Mandiant said that while Ivanti believed CVE-2025-22457 was a low-risk denial-of-service flaw, a China-nexus threat group tracked as UNC5221 analyzed the vulnerability and discovered it was far more impactful. “We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” the company wrote in a blog post.
• UNC5221 has previously exploited Ivanti vulnerabilities to gain initial access to victims’ networks. For example, in January, Mandiant reported that CVE-2025-0282, a zero-day vulnerability that also stems from a stack buffer-overflow issue, was exploited in the wild by another China-nexus group that researchers believe is associated with UNC5221.
• This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups. These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever, Charles Carmakal, consulting CTO at Mandiant, said in a statement.

In a statement to Cybersecurity Dive, Ivanti urged customers to take immediate action:

• Customers running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory. Ivanti’s ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions,” the company said. “As network security devices and edge devices in particular remain a focus of sophisticated and highly persistent threat actors, Ivanti is committed to providing information to ensure defenders can take every possible step to secure their environments.
• In addition to upgrading to the latest software versions and running the ICT, CISA recommended Ivanti customers conduct a factory reset of their devices and audit all accounts with privileged access “for the highest level of confidence.”