Listen to this Post
Ivanti has disclosed a critical vulnerability in Ivanti Connect Secure (CVE-2025-22457) that is being actively exploited in the wild by a China-nexus threat actor since mid-March 2025.
Key Details:
- Ivanti released ICS 22.7R2.6 on February 11, 2025 addressing CVE-2025-22457
- Initially believed low-risk (DoS), later found to enable remote code execution
- Active exploitation observed against ICS 9.X (EOL) and 22.7R2.5/earlier
- Two new malware families identified: TRAILBLAZE (in-memory dropper) and BRUSHFIRE (passive backdoor)
You Should Know:
Detection Commands:
Check running processes for suspicious activity ps aux | grep -i 'ivanti|pulse' Check network connections netstat -tulnp | grep -i 'ivanti|pulse' Search for recently modified files in Ivanti directories find /opt/ivanti /opt/pulsesecure -type f -mtime -7 -ls Check for unexpected cron jobs crontab -l cat /etc/crontab
Integrity Verification:
Verify package integrity on Linux systems
rpm -Va | grep -i 'ivanti|pulse'
Check file hashes against known good versions
find /opt/ivanti -type f -exec sha256sum {} \; > current_hashes.txt
diff current_hashes.txt known_good_hashes.txt
Network Monitoring:
Capture traffic on Ivanti ports (default 443) tcpdump -i eth0 port 443 -w ivanti_traffic.pcap Check for suspicious outbound connections netstat -antp | grep ESTABLISHED | grep -vE '(ivanti.com|pulsesecure.net)'
Windows Systems:
Check Ivanti services
Get-Service | Where-Object {$<em>.DisplayName -like "Ivanti" -or $</em>.DisplayName -like "Pulse"}
Check event logs for Ivanti/Pulse related errors
Get-WinEvent -LogName "Application","System" | Where-Object {$<em>.Message -like "Ivanti" -or $</em>.Message -like "Pulse"}
Mitigation Steps:
1. Immediately upgrade to ICS 22.7R2.6 or later
2. Run Ivanti’s Integrity Checker Tool (ICT)
3. Isolate compromised systems
- Reset all credentials that may have traversed the VPN
5. Monitor for TRAILBLAZE and BRUSHFIRE malware indicators
What Undercode Say:
This critical vulnerability demonstrates the ongoing targeting of VPN infrastructure by advanced threat actors. The rapid weaponization of what was initially considered a low-risk vulnerability highlights the importance of:
– Implementing zero-trust architecture principles
– Maintaining rigorous patch management processes
– Conducting frequent integrity checks on critical infrastructure
– Monitoring for both active threats and passive backdoors
The discovery of two new malware families specifically designed for this platform suggests long-term planning by the threat actors. Organizations should assume compromised credentials and implement credential rotation even after patching.
Expected Output:
System scan completed. Found 3 modified Ivanti configuration files. Checking network connections... 2 active VPN sessions detected. Verifying package integrity... 1 corrupted library found.
Reference URLs:
- Ivanti Security Advisory: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457
- Threat Intelligence Report: https://lnkd.in/ek69Yi_z
References:
Reported By: Charlescarmakal Critical – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
