CISA warns of latest Ivanti firewall bug being exploited by suspected Chinese hackers

Another vulnerability impacting firewall products from Ivanti is being exploited by alleged China-based hackers.

An Ivanti advisory released on Thursday confirmed that a “limited number of customers” have been attacked through a bug impacting its Connect Secure, Policy Secure & ZTA Gateways tools — which are used by large organizations and government clients to keep malicious traffic out while allowing employees to have remote access to systems. 

On Friday, the Cybersecurity and Infrastructure Security Agency (CISA) also confirmed exploitation of the vulnerability, tracked as CVE-2025-22457.

Mandiant and Google Threat Intelligence Group (GTIG) said they are attributing its exploitation and the subsequent deployment of a malware ecosystem known as Spawn to a suspected China-based espionage actor they track as UNC5221. 

Ivanti released a patch for the vulnerability on February 11 but noted that the bug also impacts certain devices that are no longer supported by the company as of the end of 2024.

“We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 and earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure,” Ivanti said in its advisory. 

“The risk from this vulnerability is significantly reduced for customers running appliances on supported versions. Ivanti cannot provide guidance to customers to stay on an unsupported version. Customers' only option is to migrate to a secure platform to ensure their security.”

Ivanti said customers can tell if they have been compromised by using an integrity checker tool, and if they are impacted they should perform a factory reset on the appliance. 

The company noted that it initially believed the bug was not exploitable but learned alongside cybersecurity experts that it can be exploited “through sophisticated means.”

Ivanti repeatedly warned that customers who are continuing to use end-of-life devices “do so at their own risk” and said the company “will not provide any troubleshooting or code change for products that are no longer supported.”

Ivanti directed customers to Mandiant’s blog for more information about exploitation. 

Brushfire

Mandiant said the earliest evidence of exploitation appeared in mid-March. They observed the hackers deploy two new malware families, including a backdoor called Brushfire. 

The hackers also deployed the Spawn ecosystem of malware, which CISA spotlighted in an advisory last week. Google and Mandiant said the same actor previously exploited CVE-2025-0282 — a bug affecting the same Ivanti tools which emerged in January — as well as past Ivanti vulnerabilities like CVE-2023-46805 and CVE-2024-21887. 

The same hackers, allegedly based in China, have been exploiting edge devices like those produced by Ivanti since 2023. 

“UNC5221 has targeted a wide range of countries and verticals during their operations, and has leveraged an extensive set of tooling, spanning passive backdoors to trojanized legitimate components on various edge appliances,” Mandiant said.

The hackers are also using a network of “compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations.”

Experts at cybersecurity firm watchTowr examined the vulnerability and the patch and told  Recorded Future News the bug was further proof that active exploitation of vulnerabilities in mission-critical appliances continues to be a constant concern.

“It is vital organizations do their own analysis, and that the industry continues to review vulnerabilities and their exploitability and impact independently when making risk decisions,” said watchTowr CEO Benjamin Harris.