Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22457 |
🚨 Marked as known exploited on April 10th, 2025 (8 days ago).
Description: Ivanti released security updates to address vulnerabilities (CVE-2025-22457) in Ivanti Connect Secure, Policy Secure & ZTA Gateways. A cyber threat actor could exploit CVE-2025-22457 to take control of an affected system.
CISA has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog.
See the following resources for more guidance:
April Security Update | Ivanti
April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud Blog
For any instances of Ivanti Connect Secure that were not updated by Feb. 28, 2025, to the latest Ivanti patch (22.7R2.6) and all instances of Pulse Connect Secure (EoS), Policy Secure, and ZTA Gateways, CISA urges users and administrators to implement the following actions:
Conduct threat hunting actions:
Run an external Integrity Checker Tool (ICT). For more guidance, see Ivanti’s instructions.
Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.
If threat hunting actions determine no compromise:
For the highest level of confidence, conduct a factory reset.
For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
Apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457). Please note that patches for Ivanti...
CVSS: CRITICAL (9.0) EPSS Score: 9.86%
April 4th, 2025 (13 days ago)
|
|
Description: The vendor had originally assessed the flaw as low risk but now says it is a critical issue that enables remote code execution.
April 3rd, 2025 (14 days ago)
|
|
Description: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025. [...]
April 3rd, 2025 (14 days ago)
|
|
CVE-2025-22457 |
🚨 Marked as known exploited on April 3rd, 2025 (14 days ago).
Description: On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible.
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achiev...
CVSS: CRITICAL (9.0) EPSS Score: 9.86% SSVC Exploitation: none
April 3rd, 2025 (14 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (8 days ago).
Description: Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie
On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible.Â
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a ...
EPSS Score: 9.86%
April 3rd, 2025 (14 days ago)
|
|
Description: A recent alert from CISA builds on previous research about a vulnerability in Ivanti products that China-linked hackers have used to insert malware into networks.
April 2nd, 2025 (15 days ago)
|
|
Description: More than a year away from leading the NSA and Cyber Command, Paul Nakasone told the Click Here podcast that they could ask him anything. So they did. About China, AI, DOGE and more.
April 1st, 2025 (16 days ago)
|
|
Description: Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions.
"The first sighting of its activity was in the second quarter of 2023; back then, it was
April 1st, 2025 (16 days ago)
|
|
CVE-2025-3002 |
Description: A vulnerability, which was classified as critical, has been found in Digital China DCME-520 up to 20250320. This issue affects some unknown processing of the file /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. The manipulation of the argument type_name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. Eine Schwachstelle wurde in Digital China DCME-520 bis 20250320 entdeckt. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei /usr/local/WWW/function/audit/newstatistics/mon_merge_stat_hist.php. Mit der Manipulation des Arguments type_name mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.9) EPSS Score: 2.14%
March 31st, 2025 (17 days ago)
|
|
March 31st, 2025 (18 days ago)
|