China-nexus threat actors exploited remote code execution flaws in Ivanti Connect Secure VPN appliances to breach multiple organizations, according to TeamT5. The reporting links intrusions to abuse of Ivanti vulnerabilities including CVE-2025-22457, and follows earlier attention on CVE-2025-0282, a pre-authentication RCE tied to a TLS stack overflow in the product's IFT component. The activity shows continued attacker focus on internet-facing Ivanti gateways as an initial access path into enterprise environments.
Public exploit development accompanied the disclosures, with GitHub repositories publishing proof-of-concept code and scanner tooling for both CVE-2025-22457 and CVE-2025-0282. The availability of PoCs lowers the barrier for follow-on exploitation and increases pressure on defenders to patch exposed Ivanti Connect Secure systems, hunt for signs of compromise on VPN appliances, and review access originating from those devices into internal networks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
A second GitHub repository focused on CVE-2025-22457 is published by TRone-ux, further expanding public availability of proof-of-concept material for the Ivanti Connect Secure flaw.
TeamT5 publishes research stating that a China-linked APT exploited an Ivanti Connect Secure VPN vulnerability to infiltrate multiple organizations, adding attribution and victim-scope details to the campaign narrative.
A GitHub repository by securekomodo publishes a Python exploit/PoC scanner for CVE-2025-22457 targeting Ivanti Connect Secure, making detection or exploitation details publicly available.
A public proof-of-concept repository for CVE-2025-0282, described as an Ivanti Connect Secure IFT TLS stack overflow leading to pre-authentication remote code execution, is published on GitHub by watchTowr Labs.
4 references tracked. Mallory keeps watching after this page renders.
teamt5.org
Open sourcegithub.com
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.