Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)

    Friday, April 4, 2025 In: Threat Research Print

    Date: 04/04/2025

    Severity: Medium

    Summary

    A suspected China-linked group, UNC5221, is exploiting a critical vulnerability (CVE-2025-22457) in Ivanti Connect Secure VPN appliances (versions 22.7R2.5 and earlier). The flaw, initially thought to cause only denial-of-service, allows remote code execution. Active exploitation was detected in March 2025, deploying new malware like TRAILBLAZE and BRUSHFIRE passive backdoor. Ivanti released patches in February 2025, urging customers to upgrade to protect against the attack. 

    Indicators of Compromise (IOC) List

    Hash

    4628a501088c31f53b5c9ddf6788e835

    e5192258c27e712c7acf80303e68980b

    6e01ef1367ea81994578526b3bd331d6

    ce2b6a554ae46b5eb7d79ca5e7f440da

    10659b392e7f5b30b375b94cae4fdca0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    md5hash IN ("6e01ef1367ea81994578526b3bd331d6","4628a501088c31f53b5c9ddf6788e835","e5192258c27e712c7acf80303e68980b","ce2b6a554ae46b5eb7d79ca5e7f440da","10659b392e7f5b30b375b94cae4fdca0")

    Reference:  

    https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability


    Tags

    MalwareVulnerabilityThreat ActorChina-NexusCVE-2025ExploitBackdoorTRAILBLAZEBRUSHFIRE

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.