Skip to content

Ivanti patches actively exploited vulnerability

  • by
  • 2 min read

Illustration: Supimol Kumying | Shutterstock

Software biz Ivanti has patched an actively exploited vulnerability affecting its Connect Secure software suite. The vulnerability, tracked as CVE-2025-22457 with a CVSS score of 9.0, has already been exploited in the wild to deploy Trailblaze and Bushfire malware.

The bug affects the following Ivanti products:

  • Ivanti Connect Secure: Versions 22.7R2.5 and earlier were affected. The vulnerability has been patched in Version 22.7R2.6, released on February 11, 2025.
  • Ivanti Policy Secure: Versions 22.7R1.3 and prior were affected. The issue has been fixed in version 22.7R1.4, but the patch will be available starting April 21.
  • Pulse Connect Secure: Versions 9.1R18.9 and prior were affected. The issue has been fixed in version 22.7R2.6, but users need to contact Ivanti for a version migration as the device has reached end-of-life as of December 31, 2024.
  • ZTA Gateways: Versions 22.8R2 and prior were affected. The issue has been fixed in version 22.8R2.2, but it will be available starting April 19.
This is an image of cyber security hacked breach

The company has confirmed that it knows a “limited number of customers” targeted on their Connect Secure and Pulse Connect Secure endpoints. However, there’s no evidence to suggest that Policy Secure or ZTA Gateways have been exploited in the wild.

Cybersecurity firm Mandiant published a report claiming it had found evidence of the bug being exploited in the wild in mid-March 2025. The attackers exploited the issue to drop an in-memory dropper called Trailblaze, a passive backdoor dubbed Brushfire, and the Spawn malware suite. The latter consists of a log tampering utility, an uncompressed Linux kernel image extracted, and an improved version of the Spawnant malware called Spawnwave.

These attacks could establish persistent backdoors on compromised devices, enabling credential theft, data extraction, and even lateral network movement if successful. The Spawn malware suite was previously associated with a Chinese state-sponsored threat actor dubbed UNC5221, which has a history of exploiting zero-day vulnerabilities in Ivanti Connect Secure devices.

In the News: Oracle quietly confirms cloud data breach to select customers

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Security flaw in Dahua CCTVs allows remote access

This is an image of python windows featured

Hackers are targeting Python developers with fake PyPI sites

This is an image of apple featured 2323424823

Apple patches Safari bug; Already exploited in Chrome

This is an image of dark web hacker security

Vibe coding platform breach exposes corporate apps

This is an image of dark web hacker security

Fake apps are stealing data blackmailing users on Asian mobile networks

This is an image of ransomware 32988sd

FBI collects dues from Chaos ransomware gang; $2.4 million in crypto seized

>