A severe security flaw discovered in several Ivanti network products has prompted urgent warnings from cybersecurity experts. The vulnerability, identified as CVE-2025-22457, allows attackers to remotely execute malicious code without requiring authentication.
The Australian Cyber Security Centre reports that the flaw impacts multiple Ivanti products including Connect Secure, Policy Secure, and Neurons for ZTA gateways. Security researchers have already detected active exploitation of this vulnerability in the wild.
According to analysis by cybersecurity firm Mandiant, attackers are deploying sophisticated malware called TRAILBLAZE and BRUSHFIRE to compromise affected systems. These tools allow persistent access and data theft while evading detection.
The attacks have been attributed to UNC5221, a group linked to Chinese state-sponsored cyber operations. This actor has a history of exploiting zero-day vulnerabilities in network infrastructure.
"This is a serious vulnerability that organizations need to address immediately," said an Ivanti spokesperson. The company has released version 22.7R2.6 which patches the flaw.
Key actions recommended for organizations:
- Update to Ivanti Connect Secure version 22.7R2.6 or later
- Remove internet exposure for Policy Secure deployments
- Check systems for signs of compromise
- Monitor networks for suspicious activity
- Migrate from end-of-life Pulse Connect Secure 9.1.X products
Security teams should implement network monitoring and validate system integrity using Ivanti's checker tools. The Australian government advises conducting thorough forensic investigations of potentially affected devices.
Organizations using vulnerable Ivanti products should treat this as a high-priority security issue requiring immediate attention. The combination of active exploitation and involvement of sophisticated threat actors makes this an elevated risk to network infrastructure.
#cybersecurity #infosec #networksecurity