Mandiant reported that the suspected China-linked espionage actor UNC5221 actively exploited CVE-2025-22457, a critical buffer overflow in Ivanti Connect Secure VPN appliances, to achieve remote code execution on devices running 22.7R2.5 and earlier. The activity reportedly began by at least mid-March, with Mandiant assessing that the attackers likely identified the opportunity by reverse-engineering a February patch for the vulnerability.
After gaining access, UNC5221 deployed two newly identified malware families, TRAILBLAZE and BRUSHFIRE, alongside components from the previously documented SPAWN malware ecosystem. Mandiant said the intrusion set reflects the group’s continued emphasis on compromising internet-facing edge devices and warned organizations to upgrade affected Ivanti Connect Secure appliances to 22.7R2.6 or later immediately.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
On April 3, 2025, Mandiant disclosed active exploitation of CVE-2025-22457 and attributed the activity to UNC5221. The report urged organizations to upgrade Ivanti Connect Secure appliances to version 22.7R2.6 or later immediately.
During post-compromise operations in the Ivanti campaign, UNC5221 deployed the newly identified malware families TRAILBLAZE and BRUSHFIRE along with components from the previously reported SPAWN malware ecosystem. These tools were used after successful exploitation of affected appliances.
Since at least mid-March 2025, the suspected China-nexus espionage actor UNC5221 has used CVE-2025-22457, a critical buffer overflow in Ivanti Connect Secure 22.7R2.5 and earlier, for remote code execution. The activity targeted Ivanti edge devices as part of an espionage campaign.
Ivanti released a patch in February 2025 that Mandiant later assessed UNC5221 likely analyzed to identify the n-day vulnerability CVE-2025-22457. This patch release is described as the probable starting point for the actor's discovery of the flaw.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.