CVE-2025-22457 is a stack-based buffer overflow in Ivanti Connect Secure. Ivanti initially classified it as a low-risk DoS-only vulnerability and patched it 11 February 2025 in version 22.7R2.6. Chinese APT group UNC5221 reverse-engineered the patch, determined RCE was achievable on 22.7R2.5 and earlier, and began active exploitation in mid-March 2025. Mandiant and Google GTIG confirmed exploitation and attributed to UNC5221 (suspected Chinese espionage). Malware deployed: TRAILBLAZE in-memory dropper, BRUSHFIRE passive backdoor, and the SPAWN ecosystem of implants. Shadowserver found 5,113 vulnerable instances on 6 April 2025. CISA added to KEV catalog. Mandiant also identified zero-day exploitation of CVE-2025-0282 beginning mid-December 2024 (separate earlier campaign).