Exploitation of the Ivanti Connect Secure vulnerability may be linked to a China-based espionage group, according to Mandiant researchers.
A critical-severity vulnerability in Ivanti’s Connect Secure VPN that has seen exploitation in recent cyberattacks should be fixed with available patches as soon as possible, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Friday.
The flaw (tracked at CVE-2025-22457) can be exploited to enable remote execution of code and researchers have identified “evidence of active exploitation in the wild,” researchers at Google Cloud-owned Mandiant said in a blog post.
[Related: 10 Major Ransomware Attacks And Data Breaches In 2024]
According to Mandiant, the attacks may be linked to a China-based espionage group that is believed to have been behind the mass exploitation of Ivanti Connect Secure devices in early 2024.
The group, UNC5221, is believed to have compromised thousands of Ivanti VPN devices during the wave of 2024 attacks, with the list of victims including CISA.
In the latest attacks targeting Ivanti VPN customers, deployment of an “ecosystem of malware attributed to UNC5221 was also observed,” Mandiant researchers wrote in the post.
The attacks are believed to have begun as far back as mid-March, according to the researchers.
CRN has reached out to Ivanti for comment.
In an advisory posted Thursday and updated Friday, Ivanti said it is “aware of a limited number of customers” exploited in the attacks.
The vulnerability affects Ivanti Connect Secure version 22.7R2.5 or earlier, as well as Pulse Connect Secure 9.1x devices that stopped receiving code support as of the end of 2024 due to reaching end-of-support, according to Ivanti.
A fixed version of Ivanti Connect Secure (22.7R2.6) has been available since Feb. 11, the company said. The vulnerability was addressed in the update after it was “initially identified as a product bug,” Ivanti said in its advisory.
Originally, the flaw was “evaluated and determined not to be exploitable as remote code execution,” the company said. “However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild.”
The vulnerability has received a “critical” severity rating of 9.0 out of 10.0.
CISA added the flaw to its catalog of vulnerabilities known to have seen exploitation in the wild Friday.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in its advisory.
While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” the agency said Friday.
In mid-January, attacks exploiting a previously disclosed critical vulnerability in Ivanti Connect Secure (tracked at CVE-2025-0282) were linked by Mandiant researchers to a China-based threat actor, tracked as UNC5337. The group may be part of UNC5221, the researchers said at the time.
