Analysis Summary

A critical buffer overflow vulnerability, tracked as CVE-2025-22457, has been identified in Ivanti Connect Secure (ICS) VPN appliances, specifically impacting version 22.7R2.5 and earlier. This flaw enables remote code execution and has been actively exploited since mid-March 2025 by UNC5221, a sophisticated China-linked espionage group. Known for exploiting zero-day vulnerabilities in edge devices since 2023, the group is believed to have reverse-engineered the February 2025 ICS 22.7R2.6 patch to craft their attack. This marks a significant evolution in their tactics, expanding from zero-day exploits to also include n-day vulnerabilities.

According to the researcher, upon successful exploitation, the attackers deploy an intricate multi-stage malware framework beginning with a shell script dropper that initiates TRAILBLAZE, an in-memory dropper coded in bare C with raw syscalls for enhanced stealth. TRAILBLAZE subsequently injects the BRUSHFIRE passive backdoor into the /home/bin/web process. The malware operation involves creating several temporary files to log process information, such as memory maps, process IDs, and base addresses, which facilitate precise code injection and monitoring.

BRUSHFIRE’s sophistication lies in its ability to hook into the SSL_read function, allowing it to monitor encrypted traffic for specific trigger strings. Once identified, the malware decrypts and executes shellcode directly in memory and communicates outputs through SSL_write. This in-memory operation strategy ensures a high degree of stealth, enabling long-term persistence without writing files to disk or triggering conventional detection tools.

Security researchers have observed that UNC5221 also deployed their previously documented SPAWN malware ecosystem alongside TRAILBLAZE and BRUSHFIRE in this campaign. Given the threat actors’ aggressive tempo, advanced toolsets, and widespread targeting across industries and geographies, immediate mitigation is critical. Organizations using affected ICS versions are urged to upgrade to version 22.7R2.6 or later and run Ivanti’s Integrity Checker Tool to detect and remediate potential compromises.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-22457

MD5

SHA-256

SHA1

• 09eb513f284771461bcdc16ee28d31ce8bbe74e0

Affected Vendors

• Ivanti

Remediation

• Refer to the Ivanti Security Advisory for patch, upgrade, or suggested workaround information.
• Ensure all ICS systems are regularly monitored for new patches and apply them promptly.
• Utilize Ivanti's Integrity Checker Tool on all ICS appliances to detect unauthorized changes, malicious artifacts, or indicators of compromise (IoCs).
• Review any flagged anomalies or files, especially those resembling /tmp/.p, /tmp/.m, /tmp/.w, /tmp/.s, /tmp/.r, and /tmp/.i.
• If compromise is suspected, isolate the affected ICS device from the network to prevent lateral movement or data exfiltration.
• Conduct a thorough forensic analysis of memory, process activity, and network logs to identify signs of TRAILBLAZE, BRUSHFIRE, or SPAWN malware activity.
• Deploy advanced network monitoring tools to inspect encrypted traffic, especially looking for abnormal behavior in SSL_read/SSL_write functions or unexpected payloads.
• Implement SSL/TLS decryption (where appropriate and compliant) to enhance visibility into malicious communication.
• Enable strict application allowlisting and behavior-based detection on ICS and adjacent systems.
• Use network segmentation to limit exposure of ICS appliances and restrict external access to only necessary endpoints.
• Initiate proactive threat hunting efforts using IoCs related to TRAILBLAZE and BRUSHFIRE malware.
• Integrate custom detection rules into SIEM and EDR tools to flag abnormal process injections, memory manipulation, or the creation of suspicious temp files.
• Restrict remote access to ICS management interfaces and enforce multi-factor authentication (MFA) for administrators.
• Audit firewall rules and VPN configurations to ensure only authorized users and IPs have access.
• If any malicious activity is found, escalate to internal or third-party incident response (IR) teams for containment, eradication, and recovery efforts.
• Share findings with relevant threat intelligence communities and national CERTs to contribute to the broader defense ecosystem.