A critical security vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure VPN appliances has been actively exploited since mid-March 2025. The vulnerability allows remote code execution through a buffer overflow. Two new malware families, TRAILBLAZE and BRUSHFIRE, have been deployed along with the previously known SPAWN ecosystem. The suspected China-nexus espionage actor UNC5221 is believed to be behind the attacks. Post-exploitation activities include the use of a shell script dropper, deployment of various malware components, and attempts to evade detection by modifying the Integrity Checker Tool. Organizations are urged to immediately patch their systems and monitor for suspicious activity.