FOCUS MODE
EXTRACT IOC
Threat Research

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability CVE-2025-22457 Google Cloud Blog

GoogleCloudIntel
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability CVE-2025-22457 Google Cloud Blog
A critical security vulnerability, CVE-2025-22457, was disclosed by Ivanti, affecting Ivanti Connect Secure (ICS) VPN appliances. The vulnerability allows for remote code execution through buffer overflow and has been observed actively exploited in the wild. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed as part of the exploit. Organizations are strongly urged to upgrade immediately to secure their systems. Affected: Ivanti Connect Secure VPN appliances, UNC5221 espionage actor, various edge devices

Keypoints :

  • Ivanti disclosed CVE-2025-22457 affecting ICS VPN appliances version 22.7R2.5 and earlier.
  • This vulnerability allows for remote code execution through a buffer overflow.
  • Active exploitations in the wild have been noted against ICS 9.X and 22.7R2.5 versions.
  • Evidence of exploitation began to surface in mid-March 2025.
  • Malware families TRAILBLAZE (an in-memory dropper) and BRUSHFIRE (a passive backdoor) were deployed following exploitation.
  • The SPAWN ecosystem of malware, attributed to the UNC5221 actor, was also observed.
  • A patch for CVE-2025-22457 was released in February 2025, and customers are encouraged to upgrade immediately.
  • Mandiant observed specific post-exploitation behavior and tools being utilized by the threat actor.
  • UNC5221 has a history of exploiting zero-day vulnerabilities, impacting various global entities.
  • Mandiant recommends organizations apply patches and monitor for suspicious activities.

MITRE Techniques :

  • T1068: Exploitation of Vulnerability – Exploited CVE-2025-22457 leading to remote code execution.
  • T1203: Exploitation for Client Execution – Used in the deployment of TRAILBLAZE and BRUSHFIRE malware.
  • T1047: Windows Management Instrumentation – Utilized techniques identified during the exploitation phase.
  • T1071: Application Layer Protocol – Communication via SSL_read and SSL_write in BRUSHFIRE.

Indicator of Compromise :

  • [MD5] 4628a501088c31f53b5c9ddf6788e835 (Filename: /tmp/.i, Description: In-memory dropper for TRAILBLAZE)
  • [MD5] e5192258c27e712c7acf80303e68980b (Filename: /tmp/.r, Description: Passive backdoor for BRUSHFIRE)
  • [MD5] 6e01ef1367ea81994578526b3bd331d6 (Filename: /bin/dsmain, Description: Kernel extractor and encryptor for SPAWNSNARE)
  • [MD5] ce2b6a554ae46b5eb7d79ca5e7f440da (Filename: /lib/libdsupgrade.so, Description: Implant utility for SPAWNWAVE)
  • [MD5] 10659b392e7f5b30b375b94cae4fdca0 (Filename: /tmp/.liblogblock.so, Description: Log tampering utility for SPAWNSLOTH)

Full Story: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/

Tags: COLLECTION, EXPLOIT, TOOL, VPN, WINDOWS, CHINA, VULNERABILITY, HUNTING