On Thursday, April 3, 2025, Ivanti disclosed a essential safety vulnerability, CVE-2025-22457, impacting Ivanti Join Safe (“ICS”) VPN home equipment model 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and profitable exploitation would lead to distant code execution. Mandiant and Ivanti have recognized proof of lively exploitation within the wild in opposition to ICS 9.X (finish of life) and 22.7R2.5 and earlier variations. Ivanti and Mandiant encourage all clients to improve as quickly as attainable.
The earliest proof of noticed CVE-2025-22457 exploitation occurred in mid-March 2025. Following profitable exploitation, we noticed the deployment of two newly recognized malware households, the TRAILBLAZE in-memory solely dropper and the BRUSHFIRE passive backdoor. Moreover, deployment of the beforehand reported SPAWN ecosystem of malware attributed to UNC5221 was additionally noticed. UNC5221 is a suspected China-nexus espionage actor that we beforehand noticed conducting zero-day exploitation of edge gadgets relationship again to 2023.
A patch for CVE-2025-22457 was launched in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a restricted character house, and due to this fact it was initially believed to be a low-risk denial-of-service vulnerability. We assess it’s seemingly the menace actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered via a sophisticated course of, it was attainable to take advantage of 22.7R2.5 and earlier to attain distant code execution.
Ivanti launched patches for the exploited vulnerability and Ivanti clients are urged to observe the actions within the Safety Advisory to safe their programs as quickly as attainable.
Publish-Exploitation Ways, Methods, and Procedures
Following profitable exploitation, Mandiant noticed the deployment of two newly recognized malware households tracked as TRAILBLAZE and BRUSHFIRE via a shell script dropper. Mandiant has additionally noticed the deployment of the SPAWN ecosystem of malware. Moreover, much like beforehand noticed habits, the actor tried to switch the Integrity Checker Device (ICT) in an try and evade detection.
Shell-script Dropper
Following profitable exploitation of CVE-2025-22457, Mandiant noticed a shell script being leveraged that executes the TRAILBLAZE dropper. This dropper injects the BRUSHFIRE passive backdoor right into a operating /dwelling/bin/internet course of. The primary stage begins by looking for a /dwelling/bin/internet course of that may be a youngster strategy of one other /dwelling/bin/internet course of (the purpose of this seems to be to inject into the internet course of that’s really listening for connections). It then creates the the next recordsdata and related content material:
-
/tmp/.p: incorporates the PID of the/dwelling/bin/internetcourse of. -
/tmp/.m: incorporates a reminiscence map of that course of (human-readable). -
/tmp/.w: incorporates the bottom handle of theinternetbinary from that course of -
/tmp/.s: incorporates the bottom handle oflibssl.sofrom that course of -
/tmp/.r: incorporates the BRUSHFIRE passive backdoor -
/tmp/.i: incorporates the TRAILBLAZE dropper
The shell script then executes /tmp/.i, which is the second stage in-memory solely dropper tracked as TRAILBLAZE. It then deletes the entire short-term recordsdata beforehand created (apart from /tmp/.p), in addition to the contents of the /information/var/cores listing. Subsequent, all youngster processes of the /dwelling/bin/internet course of are killed and the /tmp/.p file is deleted. All of this habits is non-persistent, and the dropper will must be re-executed if the system or course of is rebooted.
TRAILBLAZE
TRAILBLAZE is an in-memory solely dropper written in naked C that makes use of uncooked syscalls and is designed to be as minimal as attainable, seemingly to make sure it will possibly match throughout the shell script as Base64. TRAILBLAZE injects a hook into the recognized /dwelling/bin/internet course of. It’s going to then inject the BRUSHFIRE passive backdoor right into a code cave inside that course of.
BRUSHFIRE
BRUSHFIRE is a passive backdoor written in naked C that acts as an SSL_read hook. It first executes the unique SSL_read operate, and checks to see if the returned information begins with a selected string. If the information begins with the string, it would XOR decrypt then execute shellcode contained within the information. If the acquired shellcode returns a worth, the backdoor will name SSL_write to ship the worth again.
SPAWNSLOTH
As detailed in our earlier weblog submit, SPAWNSLOTH acts as a log tampering part tied to the SPAWNSNAIL backdoor. It targets the dslogserver course of to disable each native logging and distant syslog forwarding.
SPAWNSNARE
SPAWNSNARE is a utility that’s written in C and targets Linux. It may be used to extract the uncompressed linux kernel picture (vmlinux) right into a file and encrypt it utilizing AES with out the necessity for any command line instruments.
SPAWNWAVE
SPAWNWAVE is an developed model of SPAWNANT that mixes capabilities from different members of the SPAWN* malware ecosystem. SPAWNWAVE overlaps with the publicly reported SPAWNCHIMERA and RESURGE malware households.
Attribution
Google Menace Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the next deployment of the SPAWN ecosystem of malware to the suspected China-nexus espionage actor UNC5221. GTIG has beforehand reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, in addition to the exploitation CVE-2023-46805 and CVE-2024-21887.
Moreover, GTIG has additionally beforehand noticed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway home equipment. UNC5221 has focused a variety of nations and verticals throughout their operations, and has leveraged an intensive set of tooling, spanning passive backdoors to trojanized reputable elements on numerous edge home equipment.
GTIG assesses that UNC5221 will proceed pursuing zero-day exploitation of edge gadgets primarily based on their constant historical past of success and aggressive operational tempo. Moreover, as famous in our prior weblog submit detailing CVE-2025-0282 exploitation, GTIG has noticed UNC5221 leveraging an obfuscation community of compromised Cyberoam home equipment, QNAP gadgets, and ASUS routers to masks their true supply throughout intrusion operations.
Conclusion
This newest exercise from UNC5221 underscores the continued subtle threats focusing on edge gadgets globally. This marketing campaign, exploiting the n-day vulnerability CVE-2025-22457, additionally highlights the persistent focus of actors like UNC5221 on edge gadgets, leveraging deep gadget data and including to their historical past of utilizing each zero-day and now n-day flaws. This exercise aligns with the broader technique GTIG has noticed amongst suspected China-nexus espionage teams who make investments considerably in exploits and customized malware for essential edge infrastructure.
Suggestions
Mandiant recommends organizations instantly apply the accessible patch by upgrading Ivanti Join Safe (ICS) home equipment to model 22.7R2.6 or later to deal with CVE-2025-22457. Moreover organizations ought to use the exterior and inner Integrity Checker Device (“ICT”) and call Ivanti Help if suspicious exercise is recognized. To complement this, defenders ought to actively monitor for core dumps associated to the online course of, examine ICT statedump recordsdata, and conduct anomaly detection of consumer TLS certificates introduced to the equipment.
Acknowledgements
We want to thank Daniel Spicer and the remainder of the group at Ivanti for his or her continued partnership and help on this investigation. Moreover, this evaluation wouldn’t have been attainable with out the help from analysts throughout Google Menace Intelligence Group and Mandiant’s FLARE, we want to particularly thank Christopher Gardner and Dhanesh Kizhakkinan of FLARE for his or her help.
Indicators of Compromise
To help the safety neighborhood in searching and figuring out exercise outlined on this weblog submit, we’ve included indicators of compromise (IOCs) in a GTI Assortment for registered customers.
