On April 3, 2025, Ivanti disclosed a critical vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier. The flaw, initially underestimated as a denial-of-service risk, was later found to be a buffer overflow that allows remote code execution. Mandiant observed exploitation beginning in mid-March 2025, with the attackers deploying TRAILBLAZE, an in-memory dropper, and BRUSHFIRE, a passive backdoor. Additionally, malware from the previously known SPAWN ecosystem, associated with the China-linked UNC5221 espionage group, was also deployed. This indicates that the threat actor likely analyzed the patch for 22.7R2.6 and crafted a working exploit for unpatched versions.
Post-exploitation activity revealed the use of a shell-script dropper to inject TRAILBLAZE and BRUSHFIRE into a live web process, avoiding persistence and focusing on stealth. TRAILBLAZE leverages raw syscalls and Base64 encoding to stay lightweight, while BRUSHFIRE hooks into SSL_read to execute encrypted payloads. The actor also used other SPAWN components such as SPAWNSLOTH (log tampering), SPAWNSNARE (kernel image extraction and encryption), and SPAWNWAVE (an evolved implant utility).