A Chinese government-linked espionage group, identified as UNC5221, has been attacking organizations by exploiting two Ivanti vulnerabilities, CVE-2025-4427 and CVE-2025-4428, which allow unauthenticated remote code execution. Started on May 15, these attacks have targeted critical sectors including healthcare, finance, and telecommunications across Europe, North America, and Asia-Pacific. This event marks the fourth time in three years that this group has exploited Ivanti products, raising concerns about the company’s security practices in light of these ongoing vulnerabilities.
The newest Ivanti security flaws under exploit are CVE-2025-4427, an authenticated bypass vulnerability, and CVE-2025-4428, a post-authentication remote code execution (RCE) vulnerability.
Based on the tactics, techniques, and procedures (TTPs) observed, EclecticIQ attributes this activity with high confidence to UNC5221, a China-nexus espionage group.
Collection
[
|
...
]