136/68 Wednesday, April 9, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) Catalog, after confirming active exploitation of the flaw in Ivanti products, including Connect Secure, Policy Secure, and Neurons for ZTA Gateways. The vulnerability is a stack-based buffer overflow in Apache Tomcat, which can be exploited for unauthenticated remote code execution, allowing attackers to take full control of vulnerable systems without requiring login credentials.
Ivanti has attributed the attacks to a threat group known as UNC5221, believed to be linked to state-sponsored cyber espionage operations. Attacks began in mid-March 2025, using a new set of malware tools, including TRAILBLAZE (an in-memory dropper), BRUSHFIRE (a passive backdoor), and components from the previously observed SPAWN malware family. These tools primarily target edge devices and are engineered for stealth and evasion, making detection particularly challenging.
Ivanti released a patch for Connect Secure version 22.7R2.6 on February 11, 2025, and plans to release updates for Policy Secure and ZTA Gateways on April 19 and 21, respectively. Ivanti and CISA recommend that all users immediately apply security updates, scan logs using the Integrity Checker Tool (ICT), and factory reset compromised devices before returning them to production. U.S. federal agencies are required to comply with Binding Operational Directive (BOD) 22-01 by April 11, 2025, to mitigate risks from this active exploitation.
