Australian Organisations Urged to Patch Ivanti Products Amid Exploited RCE Vulnerability

On April 3, 2025, Ivanti disclosed an unauthenticated buffer overflow vulnerability tracked as CVE-2025-22457, affecting multiple Ivanti products. Australian organizations using Ivanti solutions such as Connect Secure, Policy Secure, and Neurons for ZTA gateways are urged to take immediate action to protect their infrastructure.

This technical alert aims to provide an in-depth overview of the vulnerability, its exploitation, and guidance on mitigation for technical teams and system administrators.

Summary of CVE-2025-22457

• Vulnerability Type: Unauthenticated Buffer Overflow
• Impact: Remote Code Execution (RCE)
• Affected Products:
  • Pulse Connect Secure 9.1.X (End-of-Support: December 31, 2024)
  • Ivanti Connect Secure ≤ 22.7R2.5
  • Ivanti Policy Secure
  • Neurons for ZTA gateways

This vulnerability enables a remote attacker to execute arbitrary code on affected devices without authentication. Ivanti and cybersecurity firm Mandiant have observed active exploitation in the wild targeting unpatched systems, particularly Connect Secure and legacy Pulse Connect Secure appliances.

Mitigation Guidance from the Australian Cyber Security Centre (ACSC)

The Australian Signals Directorate’s ACSC has issued urgent mitigation recommendations:

1. Follow Ivanti’s Official Security Advisory for affected products.
2. Immediately upgrade to Ivanti Connect Secure 22.7R2.6, released on February 11, 2025, which includes a complete patch for CVE-2025-22457.
3. Ensure device configurations are in line with Ivanti’s deployment guidance, particularly ensuring Policy Secure is not internet-facing.
4. Perform forensic investigations to detect any compromise indicators.
5. Monitor connected environments for anomalous activity or signs of lateral movement.

Technical Analysis and Exploitation Details

When Ivanti released version 22.7R2.6 in February 2025, the vulnerability was believed to be a low-risk denial-of-service issue due to its limited character space. However, adversaries were later able to reverse-engineer the patch and develop a reliable remote code execution exploit against version 22.7R2.5 and earlier.

Mandiant’s investigation found exploitation starting in mid-March 2025. This campaign involves:

• Deployment of two novel malware families:
  • TRAILBLAZE: An in-memory only dropper.
  • BRUSHFIRE: A passive SSL-based backdoor.
• Use of the previously observed SPAWN malware ecosystem, attributed to the China-linked espionage actor UNC5221.

Post-Exploitation Techniques and Malware Overview

1. Shell Script Dropper: After exploiting CVE-2025-22457, attackers execute a shell script that:

• Identifies the correct /home/bin/web process.
• Generates several temporary files:
  • /tmp/.p (PID of web process)
  • /tmp/.m (memory map)
  • /tmp/.w, .s (base addresses for web and libssl)
  • /tmp/.r, .i (BRUSHFIRE and TRAILBLAZE payloads)
• Executes /tmp/.i (TRAILBLAZE dropper).
• Cleans up all temporary files and kills child processes for stealth.

2. TRAILBLAZE

• Written in C, using raw syscalls and optimized for stealth.
• Injects BRUSHFIRE into a memory cave of the /home/bin/web process.
• Non-persistent—reboot removes the payload unless re-executed.

3. BRUSHFIRE

• SSL_read hook-based backdoor.
• Checks for a specific byte signature in decrypted traffic.
• On match, executes decrypted shellcode, and uses SSL_write to exfiltrate responses.

4. SPAWN Ecosystem Components

• SPAWNSLOTH: Modifies the dslogserver to disable local and remote logging.
• SPAWNSNARE: Extracts and encrypts the kernel image.
• SPAWNWAVE: Combines features from SPAWNANT and SPAWNCHIMERA for broader functionality.

Attribution to UNC5221

The Google Threat Intelligence Group (GTIG) and Mandiant attribute this exploitation campaign to UNC5221, a China-nexus espionage actor known for:

• Zero-day exploits targeting edge devices.
• Previous campaigns involving:
  • CVE-2023-46805
  • CVE-2024-21887
  • CVE-2025-0282
  • CVE-2023-4966 (NetScaler ADC/Gateway)

UNC5221 continues to operate with a high level of sophistication, using:

• Custom tooling.
• Passive backdoors.
• Obfuscated command-and-control networks utilizing compromised Cyberoam, QNAP, and ASUS devices.

Risk Context for Affected Products

• Pulse Connect Secure 9.1x: End-of-life, no further patches. Immediate migration required.
• Ivanti Connect Secure ≤ 22.7R2.5: High risk—actively exploited.
• Ivanti Policy Secure: Risk minimized if properly deployed behind a firewall.
• Neurons for ZTA: Exploitation is not feasible in production as per Ivanti.

What Organizations Should Do Now

• Patch all Ivanti Connect Secure deployments to 22.7R2.6 or later.
• If using Pulse Connect Secure 9.1x, migrate immediately—the product is deprecated.
• Validate system configurations and eliminate internet-facing exposure where inappropriate.
• Conduct threat hunts and endpoint forensics to detect TRAILBLAZE or BRUSHFIRE malware.
• Inspect for indicators of compromise (IoCs) such as modified logs or unknown processes.

Monitoring and Response

• Implement network and host-based detection rules.
• Watch for suspicious SSL traffic and inject shellcode patterns.
• Enable and monitor full packet capture where possible.
• Validate the integrity of Ivanti’s Integrity Checker Tool (ICT).

Conclusion

This active exploitation campaign targeting CVE-2025-22457 is a serious threat to Australian organizations using Ivanti products. The vulnerability, while initially underestimated, has proven to be a viable remote code execution vector in the hands of an actor. Given the direct involvement of UNC5221, known for high-impact espionage operations, timely patching and robust monitoring are essential.

Organizations should treat this advisory with urgency, prioritize upgrading vulnerable appliances, and assess the integrity of affected environments. In the evolving threat landscape, proactive defense and adherence to vendor and ACSC guidance remain critical to securing edge infrastructure.

Source: Read More