Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways.
Rated at a CVSS score of 9.0, this stack-based buffer overflow has been actively exploited since mid-March 2025, posing a severe risk to organizations using these VPN and access solutions.
Active Exploitation
Disclosed on April 3, 2025, the vulnerability has been exploited since mid-March, according to Mandiant.
.png
)
The attacks are linked to UNC5221, a suspected Chinese state-sponsored group known for targeting edge devices, including past Ivanti zero-days like CVE-2023-46805. UNC5221 deploys malware such as Trailblaze (an in-memory dropper), Brushfire (a backdoor), and the Spawn suite for credential theft and network traversal.
They also use tools like SPAWNSLOTH to manipulate logs, evading detection.
The flaw was patched in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025, initially assessed as a low-risk denial-of-service issue due to its restricted character set (periods and numbers).
However, UNC5221 likely reverse-engineered the patch, crafting an RCE exploit for unpatched systems, which elevated its severity.
Vulnerability Details
CVE-2025-22457 is a stack-based buffer overflow (CWE-121) that enables a remote, unauthenticated attacker to execute arbitrary code (RCE).
The flaw occurs due to inadequate input validation, allowing attackers to overflow the buffer and run malicious code.
“This advisory has been updated to make it clear the vulnerability was fully patched in Ivanti Connect Secure (released February 11, 2025)”, Ivanti said.
Ivanti reports that a small number of customers using Ivanti Connect Secure (22.7R2.5 or earlier) and Pulse Connect Secure 9.1x appliances were compromised. The remediation details are:
- Ivanti Connect Secure: Upgrade to version 22.7R2.6, available at Ivanti Portal. If compromised, perform a factory reset and redeploy with 22.7R2.6.
- Pulse Connect Secure: As an unsupported product, customers must contact Ivanti to migrate to a secure platform.
- Ivanti Policy Secure: A patch (version 22.7R1.4) will be released on April 21, 2025. No exploitation has been reported, and risk is lower as it’s not internet-facing.
- ZTA Gateways: A patch (version 22.8R2.2) will auto-apply on April 19, 2025. Risk exists only for unconnected gateways; no exploitation has been observed.
Detection and Response
Ivanti advises using the Integrity Checker Tool (ICT) to detect compromise, such as web server crashes. If detected, a factory reset and upgrade to 22.7R2.6 are recommended. Mandiant’s blog offers further indicators of compromise. An X post by
@nekono_naha revealed that 66% of 12,471 exposed Ivanti/Pulse Connect Secure servers (8,246) are vulnerable, with 50% (6,049) on pre-9.x versions, emphasizing the need for immediate action.
This marks Ivanti’s 15th entry in CISA’s Known Exploited Vulnerabilities catalog since 2024, highlighting ongoing security issues with its edge devices.
UNC5221’s involvement points to broader geopolitical concerns, as China-linked actors target infrastructure for espionage.
The delayed disclosure despite the February patch reveals vulnerability management gaps. Initially underestimated, the flaw’s exploitability gave attackers a month-long window, underscoring the need for faster threat intelligence sharing.
The active exploitation of CVE-2025-22457 underscores the persistent threats to edge devices.
As groups like UNC5221 exploit such flaws, organizations must prioritize patching and secure configurations.
Ivanti’s response mitigates risks for supported systems, but unsupported platforms remain a challenge, highlighting the need for proactive cybersecurity measures in a rapidly evolving threat landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
