Dive Brief:

• CISA on Friday added CVE-2025-22457, a critical stack-based buffer-overflow flaw that affects several Ivanti products, to the agency's known exploited vulnerabilities catalog. Ivanti disclosed it on April 3 and warned the flaw has been exploited in the wild.
• The critical vulnerability affects Ivanti Connect Secure as well as Pulse Connect Secure, Ivanti Policy Secure and ZTA gateway products. Ivanti had previously misidentified the flaw as a product bug that could not be exploited remotely.
• Mandiant published research last week that detailed how a suspected Chinese nation-state threat group had been exploiting CVE-2025-22457 since mid-March in a cyber espionage campaign. The attacks were limited to Ivanti Connect Secure VPN appliances.

Dive Insight:

Ivanti said CVE-2025-22457 was exploited in attacks on Ivanti Connect Secure and end-of-support Pulse Connect Secure 9.1x appliances affecting a "limited number of customers." The company said it was not aware of any exploitation against Ivanti Policy Secure instances or ZTA gateways.

The critical vulnerability was initially fixed on Feb. 11 with the release of Ivanti Connect Secure (ICS) version 22.7R2.6. At the time, the software vendor had determined the flaw was exploitable in remote code execution attacks. "However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild," the company said in the advisory.

Mandiant said that while Ivanti believed CVE-2025-22457 was a low-risk denial-of-service flaw, a China-nexus threat group tracked as UNC5221 analyzed the vulnerability and discovered it was far more impactful. "We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution," the company wrote in a blog post.

UNC5221 has previously exploited Ivanti vulnerabilities to gain initial access to victims' networks. For example, in January, Mandiant reported that CVE-2025-0282, a zero-day vulnerability that also stems from a stack buffer-overflow issue, was exploited in the wild by another China-nexus group that researchers believe is associated with UNC5221.

"This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups. These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase, and these actors are better than ever," Charles Carmakal, consulting CTO at Mandiant, said in a statement.

In a statement to Cybersecurity Dive, Ivanti urged customers to take immediate action:

"Customers running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory. Ivanti's ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions,” the company said. “As network security devices and edge devices in particular remain a focus of sophisticated and highly persistent threat actors, Ivanti is committed to providing information to ensure defenders can take every possible step to secure their environments."

In addition to upgrading to the latest software versions and running the ICT, CISA recommended Ivanti customers conduct a factory reset of their devices and audit all accounts with privileged access "for the highest level of confidence."