The VPN Your Company Trust is Actively Being Hacked Right Now.

The VPN Your Company Trust is Actively Being Hacked Right Now. (Here's the CVE Nobody's Talking About)

There's a particular kind of corporate blindspot that keeps cybersecurity professionals awake at 3 AM. It's not the threat you can see — the phishing email, the rogue employee, the sloppy password. It's the threat hiding inside the tool everyone trusts most.

Your VPN.

The one that employees log into every morning to access internal systems. The one that HR says is "enterprise-grade." The one that your security vendor demo'd with a slick slide deck full of padlock icons and compliance badges.

That VPN is almost certainly running on hardware with at least one critical, actively-exploited vulnerability. And there's a decent chance nation-state hackers are already inside it.

Let me tell you about CVE-2025–22457 — a vulnerability that received a CVSS score of 9.0 out of 10, was initially dismissed as low-risk, and has since been weaponized by a Chinese state-sponsored espionage group to silently compromise thousands of corporate and government networks worldwide.

The Vulnerability Nobody Took Seriously (Until It Was Too Late)

On February 11, 2025, Ivanti — one of the most widely deployed enterprise VPN vendors in the world — quietly released a patch for what they described as a "denial-of-service" flaw.

Read that again. Denial-of-service. Not remote code execution. Not authentication bypass. Just a crash risk. A nuisance-level issue.

So IT teams deprioritized it. Patch queues filled up. Quarterly maintenance windows came and went. Some organizations are still running the vulnerable version today.

Here's the thing: Ivanti was wrong about the risk. Catastrophically wrong.

CVE-2025–22457 is a stack-based buffer overflow in Ivanti Connect Secure VPN appliances. It affects versions 22.7R2.5 and earlier, as well as legacy Pulse Connect Secure (now end-of-life) running 9.1R18.9 and prior. The flaw lives in how the affected products handle specific HTTP input — an attacker can trigger it by sending a specially crafted request with an oversized X-Forwarded-For header.

And crucially: no authentication is required. Any unauthenticated attacker with network access to your VPN appliance can potentially exploit this. On the open internet. Right now.

The CVSS score? 9.0 Critical.

"Low Risk." Famous Last Words.

What makes CVE-2025–22457 particularly disturbing isn't just the severity — it's the timeline.

Ivanti patched it on February 11, 2025, believing it was a minor denial-of-service issue. Meanwhile, sophisticated threat actors had already figured out that it was something far worse.

Security researchers at Google's Mandiant threat intelligence team later revealed that exploitation of this vulnerability began in mid-March 2025 — meaning attackers reverse-engineered the patch, discovered the actual attack potential Ivanti had missed, and began weaponizing it in the wild before most organizations even knew the patch existed.

By April 3, 2025, Ivanti had revised their advisory. By April 4, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) had added CVE-2025–22457 to its Known Exploited Vulnerabilities (KEV) catalog — the federal government's official list of "patch this now or face consequences" vulnerabilities.

And the Shadowserver Foundation found 5,113 vulnerable Ivanti Connect Secure instances exposed on the internet as of April 6, 2025. The majority were in the United States, Japan, and China.

Who Is Behind This?

This is where the story goes from "serious corporate risk" to "geopolitical alarm bell."

The group exploiting CVE-2025–22457 is tracked as UNC5221 — a suspected Chinese nation-state espionage actor with a well-documented history of targeting enterprise network perimeter devices.

UNC5221 isn't new to the Ivanti playbook. Back in December 2023, this same group was behind the mass exploitation of CVE-2023–46805 (authentication bypass) and CVE-2024–21887 (command injection) — another devastating Ivanti vulnerability pair that compromised organizations globally, including Fortune 500 companies and government agencies. Volexity, which first spotted those zero-days, found over 1,700 VPN appliances compromised with webshells within days of mass exploitation beginning.

UNC5221 has been doing this for years. They study patches. They reverse-engineer fixes. And they are, by every measure, better at this than most enterprise security teams are at defending against it.

The Malware You've Never Heard Of

When UNC5221 successfully exploits CVE-2025–22457, they don't just grab credentials and leave. They move in.

The attack deploys a sophisticated, multi-stage malware ecosystem specifically designed to be invisible to standard security tools. Here's what lands on your VPN appliance after exploitation:

TRAILBLAZE

An in-memory-only dropper written in bare C. It uses raw syscalls — deliberately bypassing higher-level system calls that endpoint detection tools monitor — and is designed to be as minimal and stealthy as possible. It exists entirely in memory, leaving almost no forensic artifacts on disk. Its sole job: inject the next-stage payload.

BRUSHFIRE

A passive backdoor that hooks directly into the VPN's SSL/TLS processing functions. It intercepts encrypted data flowing through your VPN appliance, waits for commands embedded in that traffic (beginning with a specific trigger string), and executes shellcode delivered via XOR-decrypted payloads. Because it piggybacks on legitimate SSL functions, it's extraordinarily difficult to detect with conventional tools.

The SPAWN Ecosystem

Alongside TRAILBLAZE and BRUSHFIRE, attackers deploy what researchers call the SPAWN malware suite — a modular toolkit that includes:

• SPAWNSLOTH — a log tampering tool that silences both local and remote syslog logging, effectively blinding your SOC to the attacker's activity
• SPAWNSNAIL — an SSH backdoor for persistent remote access
• SPAWNWAVE — a loader that combines multiple module capabilities and deploys additional implants or webshells as needed

Together, these tools give attackers persistent, covert, deeply-embedded access to your VPN appliance — and by extension, your entire internal network. And they're erasing their tracks the whole time.

Why Your VPN Is the Perfect Target

Here's the uncomfortable structural truth that this vulnerability exposes: your VPN appliance is simultaneously the most critical and least protected piece of hardware in your organization.

It sits at the perimeter. By definition, it's exposed to the internet. Every attacker on the planet can reach it.

It often lacks EDR coverage. Traditional endpoint detection and response tools don't run on VPN appliances. These are specialized hardware devices — not Windows servers or Linux workstations that your security stack was designed to protect. As Mandiant noted, sophisticated actors "continue to research security vulnerabilities and develop custom malware for enterprise systems that don't support EDR solutions."

It runs legacy code. Many organizations are still running Pulse Connect Secure 9.x — a product line that Ivanti has officially declared end-of-life. Legacy devices remain vulnerable and are being actively exploited. No patches are coming. No fixes are planned.

It's trusted by default. VPN traffic is often treated as inherently legitimate by firewalls, internal security tools, and network monitoring systems. Once an attacker is inside your VPN appliance, they can move laterally through your network with significantly less friction.

Patches are slow. Patching a VPN appliance typically requires a maintenance window, change management approval, user communication, and rollback planning. In most enterprises, this takes weeks to months — and attackers know this.

The Ivanti Problem Isn't Just One CVE

It would be convenient if CVE-2025–22457 were an isolated incident. It's not.

Ivanti appears in CISA's Known Exploited Vulnerabilities catalog more than any other firewall, VPN, or router vendor over the past 17 months. Attackers exploited five separate Ivanti vulnerabilities in 2025 alone — and sixteen total since the beginning of 2024.

Mandiant's incident response data identified the Ivanti CVE-2023–46805 / CVE-2024–21887 pair as the second most frequently exploited vulnerability combination across all of their 2024 engagements, right behind a critical Palo Alto Networks GlobalProtect flaw.

The pattern is consistent: a vulnerability is disclosed, downplayed, patched with low urgency, and then mass-exploited by sophisticated state actors who studied the patch weeks before defenders applied it.

What You Should Do Right Now

If your organization uses any of the following products, stop reading and open a ticket immediately:

• Ivanti Connect Secure (any version earlier than 22.7R2.6)
• Pulse Connect Secure (any 9.x version — end-of-life, no fix available)
• Ivanti Policy Secure (any version earlier than 22.7R1.4)
• Ivanti ZTA Gateways (any version earlier than 22.8R2.2)

Immediate steps:

1. Upgrade Ivanti Connect Secure to version 22.7R2.6 or later. This is the only complete fix.
2. Run Ivanti's external Integrity Checker Tool (ICT). This is a tool provided by Ivanti specifically to detect signs of compromise on the appliance. Run it even if you've patched — if attackers got in before your patch, they may still be present.
3. If ICT shows anomalies, perform a factory reset. Do not simply patch a potentially compromised device. Wipe it, reconfigure from scratch using the patched firmware.
4. Review logs for unusual web process activity. Look for unexpected crashes, core dumps from web processes, and authentication anomalies — though note that SPAWNSLOTH may have already tampered with logs on compromised devices.
5. For legacy 9.x devices: isolate and migrate immediately. There are no patches coming. These devices are being actively targeted. Take them offline or put them behind strict network controls until you can replace them.
6. Restrict management interface access to trusted internal networks only. Your VPN appliance's admin panel should never be reachable from the open internet.
7. Contact Ivanti Support if you identify any suspicious activity. They can provide guidance specific to your deployment.

The Bigger Picture

CVE-2025–22457 is a case study in several compounding failures that define modern enterprise security: a vendor that misclassified its own vulnerability's severity, a patch cycle that couldn't keep pace with adversary capabilities, endpoint security architectures that leave perimeter appliances unmonitored, and a corporate risk culture that treats VPN reliability as more important than VPN security.

Nation-state actors are not waiting for your quarterly patch window. They are studying firmware. They are reverse-engineering fixes. They are building memory-resident malware that leaves no footprints and silences your logs.

The VPN your company trusts is the front door to everything you're trying to protect. And right now, for thousands of organizations around the world, that door is open.