New Advisory: Active Exploitation of Ivanti Vulnerabilities

ⓘ Attackers are targeting Ivanti Connect Secure appliances using known vulnerabilities. Attackers may sometimes maintain persistent, undetected access even after patching systems.
Advisory Overview 
Advisory Type Technical
Author Marcus Knowles
Date 17 April 2025

Ivanti and CISA recently reported active exploitation of several critical vulnerabilities in Ivanti network access security appliances. UNC5221, a China-linked threat group, uses these vulnerabilities to break into networks, deploy custom malware, and establish long-term control of systems.

In several incidents, attackers retained access, even after patching, by modifying system directories or planting hidden backdoors. One observed tactic includes planting in-memory malware and manipulating configuration scripts in a way that survives firmware upgrades, allowing continued access to sensitive data and credentials while evading detection.

What’s Happening
Affected Systems These issues affect Ivanti appliances that are unpatched, exposed to the internet, or unaudited after recent updates. The affected products, associated CVEs, and impacted versions are detailed below.

  • Ivanti Connect Secure (ICS)
    CVEs: 2025-0282, 2025-0283, 2025-22457
    Affected Versions:

    •  9.x (all versions before 9.1R14.4)
    • 22.x (all versions before 22.7R2.6)
  • Ivanti Policy Secure
    CVEs: 2025-0282, 2025-0283
    Affected Versions:

    • Policy Secure builds aligned with ICS 9.x and 22.7R2.5 or earlier
  • Ivanti ZTA Gateways
    CVEs: 2025-0282, 2025-0283
    Affected Versions:

    • ZTA Gateway versions using the vulnerable ICS components before 22.7R2.6
What this Means Attackers are exploiting these vulnerabilities to:

  • gain unauthenticated remote access to systems;
  • deploy custom memory-based malware like TRAILBLAZE and BUSHFIRE;
  • modify system scripts to maintain persistence across reboots or firmware updates; and
  • evade detection from standard monitoring tools.

The industry has observed attackers modifying core components and introducing fileless backdoors that do not survive reboots but can reinitialise once footholds are re-established, making detection and remediation more difficult.
What to Look For
Signs You May Be at Risk You may be at risk if:

  • your Ivanti appliances are running pre-22.7R2.6 firmware,
  • your devices are exposed to the internet without segmentation or firewall protections,
  • you have not run Ivanti’s Integrity Checker Tool recently, or
  • SSL-VPN is enabled and accessible without multi-factor authentication.
Signs You May Be Affected Possible indicators of compromise include:

  • unauthorised VPN or admin accounts;
  • suspicious in-memory processes or binaries not tied to standard firmware;
  • modified scripts such as startup.sh, or anomalies in the /data/ directory;
  • logs showing diagnostic or shell commands run unexpectedly; or
  • unusual outbound traffic from the device to unknown external IPs.
What to Do
Prevention To help prevent this vulnerability from impacting your organisation, take the steps outlined below.

  1. Update all Ivanti appliances to version 22.7R2.6 or later.
  2. Segment administrative interfaces from public networks.
  3. Enforce multi-factor authentication (MFA) for all VPN and admin access.
  4. Run Ivanti’s Integrity Checker Tool (ICT) and audit all user accounts.
  5. Disable SSL-VPN if not actively in use.
Mitigation If you believe this vulnerability is already impacting you, take the steps outlined below (not in any particular order).

  1. isolate affected appliances from the network, immediately.
  2. Apply the latest patches from Ivanti.
  3. Review and reset all admin passwords and access control lists.
  4. Check for modified system scripts or unauthorised configuration changes.
  5. Monitor for lateral movement across your environment.
  6. Report the issues to CIRT-BS at [email protected].
Official Information
  • https://www.techradar.com/pro/security/ivanti-patches-serious-connect-secure-flaw
  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283
  • https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
  • https://www.securityweek.com/ivanti-warns-of-new-zero-day-attacks-hitting-connect-secure-product/
  • https://www.cirt.bs/new-advisory-active-exploitation-of-ivanti-vulnerabilities

Should you require additional information or further support, submit a report on our website or contact us at [email protected].

 

CIRT-BS Dark Logo@2x
Careers

Contact us

Facebook Instagram X-twitter Youtube Tiktok Linkedin
  • Courtesy House Carmichael Road
    P.O. Box: N-4843
    New Providence, The Bahamas
Copyright © 2024 CIRT-BS | All Rights Reserved.
Scroll to Top
Skip to content