Full Report
UNC5221 has a knack for exploiting defects in Ivanti products. The group has exploited at least four vulnerabilities in the vendor’s products since 2023, according to Mandiant. The post China-backed espionage group hits Ivanti customers again appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC5221
## Attribution & Identity
* **Attribution:** Nation-state backed espionage group linked to China (China-nexus espionage group).
* **Known Aliases:** UNC5221.
## Activity Summary
UNC5221 has been repeatedly and actively targeting customers of network security vendor Ivanti since 2023. The group has a specific recurring pattern of exploiting vulnerabilities in Ivanti products. The most recent activity involves exploiting the critical vulnerability **CVE-2025-22457** in Ivanti Connect Secure (ICS) VPN products starting in mid-March (prior to the disclosure/patch date of February 11th). They demonstrated the ability to study vendor patches to find ways to exploit earlier product versions.
## Tactics, Techniques & Procedures
* **Vulnerability Exploitation:** Regularly targets and exploits defects, including zero-days, in Ivanti products.
* **Patch Analysis:** Sophisticated technique of studying vendor patches to reverse-engineer exploits for earlier, unpatched versions of software.
* **Exploitation Velocity:** Described as having an increasing velocity of cyber intrusion activity.
* **Weaponized Vulnerabilities:** Exploited at least four distinct Ivanti vulnerabilities since 2023:
* CVE-2025-22457 (Active exploitation since mid-March)
* CVE-2025-0282 (Zero-day)
* CVE-2023-46805 (Zero-day)
* CVE-2024-21887 (Zero-day)
* **Impact:** The exploitation of CVE-2025-22457 allows for Remote Code Execution (RCE).
## Targeting
* **Sectors:** Organizations using Ivanti products, focusing on network security devices and edge devices.
* **Geography:** Global (Implied by reporting on Ivanti customers worldwide).
* **Victims:** "A limited number of customers" using Ivanti Connect Secure 22.7R2.5 or earlier versions and Pulse Connect Secure 9.1x appliances were exploited.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly detailed in the summary provided.
* **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary provided.
## Implications
The persistent and successful targeting of Ivanti products by UNC5221 signifies that edge devices remain a critical focus area for sophisticated, China-nexus espionage actors globally. The actors' ability to quickly reverse-engineer patches to exploit older versions indicates high technical proficiency and persistence, leading to ongoing compromise risks for organizations reliant on these widely deployed network security appliances.
## Mitigations
* Ensure all Ivanti Connect Secure customers are running version **22.7R2.6** immediately, which remediates CVE-2025-22457.
* Organizations using Pulse Connect Secure 9.1x appliances (unsupported) should migrate immediately.
* Patch/update Ivanti Policy Secure and Ivanti ZTA Gateways as vendor patches become available, as exploitation evidence exists for ICS products which share context.