APT-C-16 exploited Ivanti Connect Secure zero-day since mid-February

Thursday 3rd of April 2025 19:37:57

China-Linked Group Unc5221 Exploited Ivanti Connect Secure Zero-Day Since Mid-March

A China-linked advanced persistent threat (APT) group, Unc5221, has been exploiting a zero-day vulnerability in Ivanti Connect Secure since mid-March, security researchers have revealed.

According to a report by security firm Volexity, Unc5221 has been actively exploiting the zero-day flaw, which affects Ivanti Connect Secure, a remote access solution used by organizations worldwide. The vulnerability, tracked as CVE-2023-27346, is a remote code execution (RCE) flaw that can be exploited by an attacker to gain access to an affected system.

The researchers discovered that Unc5221 has been exploiting the zero-day vulnerability since March 15, 2023, and has likely been using it to gain initial access to targeted networks. The APT group is known for its sophisticated tactics, techniques, and procedures (TTPs), and has been linked to espionage and intellectual property theft operations in the past.

Ivanti Connect Secure is a remote access solution used by organizations to provide secure access to their networks and systems. The vulnerability affects the solution's remote access protocol, which is used to establish connections between clients and servers.

The discovery of the zero-day vulnerability and its exploitation by Unc5221 highlights the importance of timely vulnerability disclosure and patching. Organizations that have not yet patched the vulnerability are strongly advised to do so as soon as possible to prevent potential attacks.

The Unc5221 APT group is known for its focus on targeting organizations in the technology, finance, and government sectors. The group is believed to be operating from China and has been linked to several high-profile cyber espionage campaigns in the past.

The discovery of the zero-day vulnerability and its exploitation by Unc5221 serves as a reminder of the importance of proactive threat hunting and vulnerability management. Organizations must prioritize their security posture and take steps to prevent attacks like this from succeeding.