National CSIRT-CY | National Computer Security Incident Response Team of Cyprus

Η Εθνική Ομάδα Αντιμετώπισης Ηλεκτρονικών Επιθέσεων προβλέπει την αύξηση της ηλεκτρονικής ασφαλείας ενισχύοντας την προστασία του κυβερνοχώρου των Εθνικών Κρίσιμων Πληροφοριακών Υποδομών, των τραπεζών και των παροχών επικοινωνίας της Κυπριακής Δημοκρατίας.

ENGLISH
Γραμμή Βοηθείας: 1490
ENGLISH

Critical Ivanti Vulnerability (CVE-2025-22457)

07 Απριλίου 2025

The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting Ivanti products.

 

Technical Details

CVE-2025-22457 is a critical stack-based buffer overflow vulnerability affecting multiple Ivanti products, including Connect Secure (ICS), Policy Secure (IPS), and ZTA Gateways. The flaw allows remote unauthenticated attackers to execute arbitrary code, potentially leading to full system compromise. It has been actively exploited by the Chinese state-sponsored threat group UNC5221 since mid-March 2025, deploying malware strains such as TRAILBLAZE and BRUSHFIRE for persistent access.

The vulnerability exists due to improper handling of memory operations, leading to a stackbased buffer overflow. Attackers can exploit this flaw to overwrite critical memory areas, leading to arbitrary code execution. Given its unauthenticated remote nature, this vulnerability is particularly dangerous as it allows attackers to compromise devices without user interaction. UNC5221’s exploitation method involves deploying TRAILBLAZE, an in-memory dropper that injects malicious payloads, and BRUSHFIRE, a backdoor that enables stealthy and persistent control over infected systems. The presence of these malware strains indicates a highly sophisticated attack campaign targeting government, financial, and enterprise networks. 

 

Affected Products:

This vulnerability affects:

  • Ivanti Connect Secure (ICS) – Versions prior to 22.7R2.6
  • Ivanti Policy Secure (IPS) – Versions before 22.7R1.4
  • Ivanti ZTA Gateways – Versions before 22.8R2.2

 

Recommendations

The Digital Security Authority recommends updating  Ivanti Connect Secure (ICS) to 22.7R2.6+, Policy Secure (IPS) to 22.7R1.4+, and ZTA Gateways to 22.8R2.2+. Monitor for TRAILBLAZE and BRUSHFIRE malware, check logs for unusual activity, and restrict network access. Implement firewalls, IDS, MFA, and conduct security audits. If compromised, isolate affected systems, reset credentials, and follow Ivanti’s security advisories for updates.

 

References

  1.  Common Vulnerabilities & Exposures

 

The information presented in this report is based on available data up to the 4th of April 2025.

 [ Get the report  in .PDF ]

 

Cyber threats require heightened defences

Working towards a trusted and cyber secure Europe

Protect your cyber hygiene

Cyber Europe 2022 [exercise]