Published: 8 April 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
This bulletin addresses a critical stack-based buffer overflow vulnerability affecting multiple Ivanti products (CVE-2025-22457) which could allow a remote unauthenticated attacker to achieve remote code execution.
Ivanti have confirmed that a limited number of their customers’ Connect Secure 22.7R2.5 or Pulse Connect Secure 9.1x appliances have been exploited in the wild. Organisations using affected Ivanti products are urged to implement the remediation measures outlined below. A patch for Ivanti Connect Secure has been available since 11 February 2025.
On 4 April 2025, the Australian Cyber Security Centre (ACSC) issued an advisory on CVE-2025-22457, recommending that affected organisations ensure their Ivanti solutions are patched and configured in line with Ivanti’s official guidance.
On 3 April 2025 Ivanti released a security update disclosing that a limited number of their customers’ Connect Secure 22.7R2.5 or Pulse Connect Secure 9.1x appliances have been exploited using CVE-2025-22457.
Mandiant has observed active exploitation of this vulnerability in the wild, including the use of custom malware families such as TRAILBLAZER and BRUSHFIRE, which are injected into the /home/bin/web process to establish persistent access.
Organisations are urged to conduct investigations to determine if they have been compromised and apply the Ivanti Connect Secure patch which was released on 11 February 2025. Pulse Connect Secure version 9.1x has reached end-of-support on 31 December 2024, customers still using this product were advised to contact Ivanti to discuss a migration path or to migrate to another solution.
The following products are affected:
Pulse Connect Secure is no longer supported, and customers are advised to migrate to Ivanti Connect Secure or another secure solution.
Ivanti Policy Secure is not intended to be internet-facing, and Ivanti has not observed exploitation of this product. A patch is in development and scheduled for release on 21 April 2025.
Ivanti ZTA Gateways are not exploitable in production. However, if a gateway is generated and left unconnected to a controller, it may be vulnerable. A patch is scheduled for automatic deployment on 19 April 2025.
Successful exploitation could allow a remote unauthenticated attacker to execute code on the appliance, potentially leading to unauthorized access to internal networks and lateral movement.
Organisations running impacted versions of Ivanti products should take the following actions:
Pulse Connect Secure should be taken off-line as it is no longer supported, organisations are advised to contact Ivanti to migrate to Ivanti Connect Secure or migrate to another solution.
Ivanti Connect Secure should be updated to version 22.7R2.6 or above.
Ivanti Policy Secure should be deployed in accordance with Ivanti’s guidelines and not be exposed to the internet. Apply the patch scheduled for release on 21 April 2025 once available.
ZTA Gateways should be deployed in accordance with Ivanti’s guidelines. Deploy only in production environments connected to a ZTA controller. Ensure automatic updates are enabled to receive the patch on 19 April 2025.
Detection logic for this vulnerability has been integrated into vulnerability scanning tools by vendors such as Rapid7 and Qualys. For example:
Qualys customers can scan using QID 732234 to identify potentially affected Ivanti Connect Secure systems, or QID 732410 to identify potentially affected Ivanti Policy Secure systems.
Mandiant have published the following Indicators of Compromise related to CVE-2025-22457 which can aid in hunting for compromised systems:
|
Code Family |
MD5 |
Filename |
Description |
|
TRAILBLAZE |
4628a501088c31f53b5c9ddf6788e835 |
/tmp/.i |
In-memory dropper |
|
BRUSHFIRE |
e5192258c27e712c7acf80303e68980b |
/tmp/.r |
Passive backdoor |
|
SPAWNSNARE |
6e01ef1367ea81994578526b3bd331d6 |
/bin/dsmain |
Kernel extractor & encryptor |
|
SPAWNWAVE |
ce2b6a554ae46b5eb7d79ca5e7f440da |
/lib/libdsupgrade.so |
Implant utility |
|
SPAWNSLOTH |
10659b392e7f5b30b375b94cae4fdca0 |
/tmp/.liblogblock.so |
Log tampering utility |
The following Yara detection rules were also published by Mandiant
rule M_APT_Installer_SPAWNANT_1
{
meta:
author = "Mandiant"
description = "Detects SPAWNANT. SPAWNANT is an
Installer targeting Ivanti devices. Its purpose is to persistently
install other malware from the SPAWN family (SPAWNSNAIL,
SPAWNMOLE) as well as drop additional webshells on the box."
strings:
$s1 = "dspkginstall" ascii fullword
$s2 = "vsnprintf" ascii fullword
$s3 = "bom_files" ascii fullword
$s4 = "do-install" ascii
$s5 = "ld.so.preload" ascii
$s6 = "LD_PRELOAD" ascii
$s7 = "scanner.py" ascii
condition:
uint32(0) == 0x464c457f and 5 of ($s*)
}
rule M_Utility_SPAWNSNARE_1 {
meta:
author = "Mandiant"
description = "SPAWNSNARE is a utility written in C that targets
Linux systems by extracting the uncompressed Linux kernel image
into a file and encrypting it with AES."
strings:
$s1 = "\x00extract_vmlinux\x00"
$s2 = "\x00encrypt_file\x00"
$s3 = "\x00decrypt_file\x00"
$s4 = "\x00lbb_main\x00"
$s5 = "\x00busybox\x00"
$s6 = "\x00/etc/busybox.conf\x00"
condition:
uint32(0) == 0x464c457f
and all of them
}
rule M_APT_Utility_SPAWNSLOTH_2
{
meta:
author = "Mandiant"
description = "Hunting rule to identify strings found in SPAWNSLOTH"
strings:
$dslog = "dslogserver" ascii fullword
$hook1 = "g_do_syslog_servers_exist" ascii fullword
$hook2 = "ZN5DSLog4File3addEPKci" ascii fullword
$hook3 = "funchook" ascii fullword
condition:
uint32(0) == 0x464c457f and all of them
}
Triskele Labs DefenceShield customers using our Assess (Vulnerability Scanning service) and Monitor (24×7 SIEM) solutions are being actively assessed and monitored for indicators of compromise (IOCs) and lateral movement.
