Ivanti on Thursday rushed out documentation for a critical flaw in its Connect Secure VPN appliances and confirmed a related Mandiant warning that a Chinese APT is actively exploiting the vulnerability.
The software defect, tagged as CVE-2025-22457 with a CVSS severity score of 9/10, was originally patched in February but was not properly documented because it was triaged as a denial-of-service “product bug.”
The company said it found out, via in-the-wild exploitation, that the issue was more than a software crashing issue and actually exposed users to remote hacker attacks.
“Successful exploitation could lead to remote code execution,” Ivanti said in a new bulletin. The bug affects Ivanti Connect Secure versions 22.7R2.5 and earlier, as well as end-of-support Pulse Connect Secure 9.x.
“We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure,” the company said.
The Ivanti emergency guidance lands on the same day Google’s Mandiant threat intelligence team said it has seen “evidence of active exploitation in the wild” against targeted Ivanti devices.
“The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025,” Mandiant said, noting that a China-nexus threat actor used the bug to deploy an in-memory only dropper and a passive backdoor.
The APT, currently tracked by Mandiant as UNC5221, was previously seen conducting zero-day exploitation of Netscaler edge devices dating back to 2023.
Mandiant believes the Chinese hacking gang reversed the February Ivanti patch and determined it was much more than a denial-of-service bug.
“We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution,” Mandiant added.
The incident response team has also seen evidence that the professional Chinese hackers are making use of an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations.
Beyond Ivanti Connect Secure, Ivanti’s security response team plans to release patches for its Policy Secure and ZTA Gateways. While the Policy Secure fix is slated for release on April 21 and the ZTA Gateways update on April 19, neither platform has yet been observed under active attack.
Ivanti customers are urged to update to Connect Secure version 22.7R2.6 without delay and to migrate away from unsupported Pulse Connect Secure appliances.
“This [Pulse Secure] solution reached End-of-Support on December 31, 2024, and no longer receives any code changes. Ivanti cannot provide guidance to customers to stay on an unsupported version. Customers’ only option is to migrate to a secure platform to ensure their security,” the company said.
The company is also encouraging corporate defenders to monitor external ICT and look for web server crashes. “If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6,” Ivanti said.
UPDATE: A statement from Ivanti chief security officer Daniel Spicer:
“Network security devices and edge devices in particular are a focus of sophisticated and highly persistent threat actors, and Ivanti is committed to providing information to defenders to ensure they can take every possible step to secure their environments.
To this end, in addition to providing an advisory directly to customers, Ivanti worked closely with its partner Mandiant to provide additional information regarding this recently addressed vulnerability. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk.
Ivanti’s Integrity Checker Tool (ICT) has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions.”
Related: CISA Sets 48-Hour Deadline for Removal of Insecure Ivanti Products
Related: Details on Ivanti Exploits Chains: What Network Defenders Need to Know
Related: Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product
Related: Ivanti CEO Vows Cybersecurity Makeover After Zero-Day Blitz
Related: CISA Issues Emergency Directive on Ivanti Zero-Days
