Updated 23:00 with comment from Ivanti's CSO.

An Ivanti vulnerability patched on February 11 as a low-risk and low-severity bug is actually a critical remote code execution (RCE) vulnerability that can be exploited by remote attackers without authentication – and exploitation is happening in the wild, says Mandiant.

A Chinese APT tracked by Mandiant as UNC5221 is using the vulnerability, allocated CVE-2025-22457, to drop previously unseen malware (including a backdoor dubbed BACKBLAZE) “directly into the memory of a running web process.”

The threat group is clearly well versed in Ivanti’s products and their attack surface: Mandiant said the same actor has also previously exploited Ivanti vulnerabilities CVE-2025-0282, CVE-2023-46805, and CVE-2024-21887.

The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service. However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild – Ivanti.

Ivanti said it is aware of a “limited number of customers” who have had their Ivanti Connect Secure appliances compromised. (That’s what Ivanti itself describes in its product sheets as “the most widely deployed SSL VPN for organisations of any size across every major industry…”)

An April 3 Ivanti security advisory said: “If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.” 

Mandiant said exploitation of the bug, CVE-2025-22457, “allows the attacker to establish persistent backdoor access on the compromised appliance, potentially enabling credential theft, further network intrusion, and data exfiltration,” said the cybersecurity company today 

CVE-2025-22457 impacts Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2. Only the former has been seen being exploited.

February’s patch mitigates risk but those who didn’t update at the time should urgently do so.

Mandiant has more details and IOCs here

Daniel Spicer, Ivanti CSO, said: "Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments.

"To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”

See also: Ivanti CEO promises product security overhaul, enhanced bug bounties after shocking analysis

The link has been copied!