Chinese Espionage Group Targeting Legacy Ivanti VPN Devices

A suspected Chinese cyberespionage operation is behind a spate of malware left on VPN appliances made by Ivanti. The threat actor used a critical security vulnerability the beleaguered Utah company patched in February – likely further evidence of Chinese hackers’ proclivity for quickly exploiting recently patched flaws and for targeting Ivanti products.

See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups

Researchers at Mandiant Thursday wrote that a threat group it tracks as UNC5221 used a stack-based buffer overflow in Ivanti Connect Secure to leave behind malware from the Spawn ecosystem, closely associated with Chinese nation-state operations. Mandiant also detected two new malware families it dubbed “Trailblaze” and “Brushfire.” As with previous Ivanti breaches traced to Beijing, hackers attempted to modify the internal Ivanti Integrity Checker Tool in a bid to escape detection.

Hackers for the “suspected China-nexus espionage actor” exploited CVE-2025-22457 to target Connect Secure version 22.7R2.5 or earlier devices, the Connect Secure 9.x appliance, Policy Secure, a network access solution that provides centralized access controls, and ZTA gateways, virtual machines that control access to applications and resources within a data center. The company released a patch on Feb. 11 for Connect Secure. It says that Policy Secure shouldn’t not be open to the internet and that “Neurons for ZTA gateways cannot be exploited when in production.”

Ivanti acknowledged Thursday that “we are aware of a limited number of customers whose appliances have been exploited.” Western intelligence agencies have warned that Chinese nation-state hackers are particularly aggressive n making use of newly disclosed vulnerabilities to exploit them before system administrators deploy a patch (see: Chinese Hackers Penetrated Unclassified Dutch Network).

Malicious actors primarily targeted legacy VPN appliances that no longer receive software updates, such as the Connect Secure 9.x appliance, which reached end-of-support on Dec. 31, 2024. They also hacked older versions of Ivanti Connect Secure VPN appliances the company began replacing with Ivanti Connect Secure 22.7R2.6 beginning Feb. 11.

Ivanti is into its second year of fending off Chinese nation-state hackers who have found the corporation’s network devices fertile ground for attacks. The Thursday warning from Mandiant and Ivanti is about a vulnerability distinct from a flaw that the U.S. Cybersecurity and Infrastructure Security Agency in late March warned has been exploited to leave a Trojan in Ivanti Connect Secure appliances that appears to be an upgrade of a Spawn malware variant (see: Rootkit, Backdoor and Tunneler: Ivanti Malware Does It All).