Threat Research

UNC5221’s Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti Connect Secure

Picussecurity

UNC5221 is a suspected China-nexus cyber-espionage group targeting edge network devices through zero-day exploits, particularly Ivanti’s Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances. A critical vulnerability (CVE-2025-22457) has been exploited since March 2025, allowing unauthorized network access and deployment of custom malware. The campaign has affected organizations globally, especially in the U.S., highlighting the threat posed to government and enterprise networks. Affected: Ivanti Connect Secure, organizations globally, U.S.-based targets.

Keypoints :

  • UNC5221 is a China-nexus cyber-espionage group focused on edge network devices.
  • The group has utilized zero-day exploits targeting Ivanti’s ICS VPN appliances since at least 2023.
  • Exploited CVE-2025-22457 in March 2025 for unauthorized network access.
  • Custom malware deployment was noted as part of their attack strategy.
  • The campaign has impacted globally, particularly U.S. targets.
  • Ivanti disclosed the critical vulnerability on April 3, 2025.
  • Effective defense strategies include immediate patching and detection of fileless malware.

MITRE Techniques :

  • T1190 – Exploit Public-Facing Application: Exploited the public-facing ICS VPN appliance via CVE-2025-22457.
  • T1055.002 – Process Injection: Used a shell script dropper to inject malicious code into legitimate processes.
  • T1070.004 – Indicator Removal on Host: Deleted temporary files after execution to cleanse traces of the attack.
  • T1556.002 – Modify Authentication Process: Deployed DRYHOOK to capture usernames and passwords during authentication.
  • T1005 – Data from Local System: Archived sensitive data from the VPN appliance’s session database.
  • T1041 – Exfiltration Over C2 Channel: Exfiltrated data disguised as legitimate web traffic.

Indicator of Compromise :

  • [URL] https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
  • [URL] https://www.cybersecuritydive.com/news/cisa-ivanti-connect-secure-vulnerability-kev/744603/
  • [Domain] ivanti.com
  • [IP Address] Not specified in the article
  • [Hash] Not specified in the article

Full Story: https://www.picussecurity.com/resource/blog/unc5221-cve-2025-22457-ivanti-connect-secure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint