CISA Urges Patching For ‘Critical’ Ivanti VPN Flaw Exploited In Attacks

Exploitation of the Ivanti Connect Secure vulnerability may be linked to a China-based espionage group, according to Mandiant researchers.

A critical-severity vulnerability in Ivanti’s Connect Secure VPN that has seen exploitation in recent cyberattacks should be fixed with available patches as soon as possible, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Friday.

The flaw (tracked at CVE-2025-22457) can be exploited to enable remote execution of code and researchers have identified “evidence of active exploitation in the wild,” researchers at Google Cloud-owned Mandiant said in a blog post.

According to Mandiant, the attacks may be linked to a China-based espionage group that is believed to have been behind the mass exploitation of Ivanti Connect Secure devices in early 2024.

The group, UNC5221, is believed to have compromised thousands of Ivanti VPN devices during the wave of 2024 attacks, with the list of victims including CISA.

In the latest attacks targeting Ivanti VPN customers, deployment of an “ecosystem of malware attributed to UNC5221 was also observed,” Mandiant researchers wrote in the post.

The attacks are believed to have begun as far back as mid-March, according to the researchers.

In an advisory posted Thursday and updated Friday, Ivanti said it is “aware of a limited number of customers” exploited in the attacks.

The vulnerability affects Ivanti Connect Secure version 22.7R2.5 or earlier, as well as Pulse Connect Secure 9.1x devices that stopped receiving code support as of the end of 2024 due to reaching end-of-support, according to Ivanti.

A fixed version of Ivanti Connect Secure (22.7R2.6) has been available since Feb. 11, the company said. The vulnerability was addressed in the update after it was “initially identified as a product bug,” Ivanti said in its advisory.

Originally, the flaw was “evaluated and determined not to be exploitable as remote code execution,” the company said. “However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild.”

The vulnerability has received a “critical” severity rating of 9.0 out of 10.0.

CISA added the flaw to its catalog of vulnerabilities known to have seen exploitation in the wild Friday.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in its advisory.

While the order only applies to Federal Civilian Executive Branch agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [such] vulnerabilities as part of their vulnerability management practice,” the agency said Friday.

In a statement, Ivanti said that its Integrity Checker Tool, or ICT, initially identified the compromise — after which the company “quickly investigated, identified the vulnerability and disclosed it to customers.”

“Customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk,” the company said, while customers “running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory.”

“Ivanti’s ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions,” the company said in the statement.

In mid-January, attacks exploiting a previously disclosed critical vulnerability in Ivanti Connect Secure (tracked at CVE-2025-0282) were linked by Mandiant researchers to a China-based threat actor, tracked as UNC5337. The group may be part of UNC5221, the researchers said at the time.