Full Report
UNC5221 has a knack for exploiting defects in Ivanti products. The group has exploited at least four vulnerabilities in the vendor’s products since 2023, according to Mandiant. The post China-backed espionage group hits Ivanti customers again appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC5221
## Attribution & Identity
China-backed nation-state espionage group. Tracked by Google Threat Intelligence Group as UNC5221. Associated with China-nexus espionage activity.
## Activity Summary
UNC5221 has been actively exploiting customers of Ivanti products, specifically targeting edge devices and VPN software. They are noted for their recurring success in exploiting vulnerabilities in Ivanti products, having exploited at least four vulnerabilities since 2023.
The most recent activity centers on the exploitation of **CVE-2025-22457** in Ivanti Connect Secure since mid-March. The group demonstrated sophistication by studying vendor patches to find ways to exploit earlier versions of the product, leveraging flaws that may have been considered lower risk initially.
## Tactics, Techniques & Procedures
- Exploiting software defects/vulnerabilities in Ivanti products (VPNs, Connect Secure, Policy Secure, ZTA Gateways).
- **Exploitation of CVE-2025-22457**: Achilles' heel targeting Ivanti Connect Secure, allowing Remote Code Execution (RCE) via a stack-based overflow vulnerability.
- Prior exploitation of vulnerabilities including **CVE-2025-0282**, **CVE-2023-46805**, and **CVE-2024-21887** (trio of zero-day vulnerabilities).
- Sophisticated reverse-engineering of patches to devise novel exploitation methods.
## Targeting
- Sectors: Undetermined, but heavily focused on organizations using Ivanti edge/VPN products.
- Geography: Global targeting of Ivanti customers.
- Victims: A "limited number of customers" using Ivanti Connect Secure 22.7R2.5 or earlier versions and unsupported Pulse Connect Secure 9.1x appliances.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed in the provided text.
- Infrastructure (C2, domains, IPs): Not explicitly detailed in the provided text.
## Implications
UNC5221 demonstrates a high level of proficiency and persistence, heavily focusing on easily compromised edge infrastructure (like VPNs). The velocity and sophistication of China-nexus espionage actors are reportedly increasing. The repeated, successful, and sophisticated targeting of a single vendor (Ivanti) highlights a significant recurring risk vector for organizations globally relying on those products.
## Mitigations
- Customers using Ivanti Connect Secure should immediately ensure they are running version **22.7R2.6** or later to remediate CVE-2025-22457.
- Organizations using older, unsupported Pulse Connect Secure 9.1x appliances should migrate immediately.
- Organizations using Ivanti Policy Secure and Ivanti ZTA Gateways should await and apply patches as soon as they are released later this month.
- Expect continued sophisticated targeting of network security and edge devices by China-nexus actors.