Ivanti has confirmed that a critical vulnerability in its Connect Secure VPN appliances—originally downplayed as a minor software bug—is now under active exploitation by a sophisticated Chinese state-backed hacking group.
The flaw, now identified as CVE-2025-22457 and rated 9.0 on the CVSS scale, was initially addressed in a February patch. However, Ivanti had mistakenly categorized the issue as a denial-of-service (DoS) bug rather than a high-risk remote code execution (RCE) vulnerability. That misclassification opened the door for attackers to quietly exploit the flaw in the wild.
According to Ivanti’s emergency bulletin released Thursday, the flaw affects Connect Secure versions 22.7R2.5 and earlier, as well as Pulse Connect Secure 9.x, which has already reached end-of-support status. The company now warns that this vulnerability could allow threat actors to remotely execute malicious code on unpatched appliances.
Chinese APT UNC5221 Launches Real-World Attacks
Google’s Mandiant team was first to raise the alarm, confirming that UNC5221, a China-linked advanced persistent threat (APT), is already exploiting the vulnerability in targeted attacks. Mandiant discovered active intrusion attempts dating back to mid-March 2025, where hackers used the bug to implant an in-memory dropper and deploy a passive backdoor for long-term access.
This same APT group had previously conducted zero-day campaigns against Netscaler edge devices in 2023. Now, Mandiant says UNC5221 appears to have reverse-engineered Ivanti’s February patch to discover the deeper implications of the flaw and build a working exploit for unpatched versions.
Exploits Obscured via Compromised Devices
To cover their tracks, the attackers are reportedly routing their activity through a network of hijacked appliances—including Cyberoam firewalls, QNAP storage systems, and ASUS routers. This obfuscation technique makes it harder for defenders to trace the source of the intrusion.
Mandiant suspects the hackers uncovered the RCE potential of the bug after dissecting Ivanti’s February fix for ICS 22.7R2.6. Their analysis revealed that older versions like 22.7R2.5 could be exploited to gain full remote access—a much more severe outcome than the original DoS label suggested.
Ivanti Responds with Patch Guidance and Mitigation Steps
Ivanti is now advising customers to immediately upgrade to version 22.7R2.6, the version where the vulnerability was properly fixed. The company has acknowledged that a “limited number of customers” have already been compromised, particularly those still using outdated or unsupported appliances.
The security team also shared plans to release additional patches for Policy Secure on April 21 and ZTA Gateways on April 19. So far, no active exploitation has been reported on those platforms, but Ivanti recommends applying updates as soon as they become available.
For users who suspect their devices may be compromised, Ivanti recommends using the Integrity Checker Tool (ICT) to scan for signs of intrusion. If compromise is confirmed, customers should perform a factory reset, reconfigure their devices using version 22.7R2.6, and avoid continued use of unsupported legacy hardware.
End-of-Life Warning for Pulse Secure Users
Customers still operating Pulse Connect Secure 9.x—which reached end-of-support on December 31, 2024—are being urged to migrate immediately. Ivanti emphasized that no further updates or support will be provided for outdated versions, leaving users highly vulnerable to future attacks.
“If your ICT results indicate compromise,” the company said, “a factory reset is necessary before returning to production, and the appliance must run version 22.7R2.6.”
Ivanti’s CSO Warns of Rising Threats to Edge Devices
In a public statement, Daniel Spicer, Ivanti’s Chief Security Officer, stressed that edge network devices remain prime targets for persistent threat actors. He reaffirmed the company’s commitment to transparency and security.
“Ivanti has worked closely with Mandiant to ensure defenders have the details they need to act swiftly,” Spicer said. “While the vulnerability was addressed in February, we urge all customers to follow our security guidance and update to supported versions without delay.”
The ICT tool has already helped identify breaches in both end-of-life and older supported versions, giving organizations a critical tool for detecting and mitigating ongoing threats.
