Cyber Security News
sysops

Over 5,113 Ivanti Connect Secure VPN appliances remain unpatched and vulnerable to the active exploitation of CVE-2025-22457, a critical stack-based buffer overflow vulnerability that enables remote code execution (RCE). 

The Shadowserver Foundation’s recent scans revealed widespread exposure, with devices spanning multiple countries, including the United States, Japan, China, and Australia. 

This vulnerability has already been exploited in the wild by suspected nation-state actors.

Ivanti Connect Secure CVE-2025-22457 (stack-based buffer overflow allowing for unauth RCE): we see over 5113 instances unpatched in our scan for 2025-04-06. This vulnerability has been observed exploited in the wild and is on @CISACyber KEV. World Map: https://t.co/oh7F05gwkB pic.twitter.com/NjC13adUPj— The Shadowserver Foundation (@Shadowserver) April 7, 2025

Stack-Based Buffer Overflow Vulnerability

CVE-2025-22457 is a stack-based buffer overflow vulnerability with a CVSS score of 9.0 that affects multiple Ivanti products, including Ivanti Connect Secure (versions 22.7R2.5 and prior), Pulse Connect Secure (9.1R18.9 and prior), Ivanti Policy Secure (22.7R1.3 and prior), and ZTA Gateways (22.8R2 and prior). 

The flaw allows remote, unauthenticated attackers to execute arbitrary code on vulnerable devices without requiring user interaction.

When patched on February 11, 2025, it was initially classified as a non-exploitable product bug. However, Ivanti later discovered it was “exploitable through sophisticated means,” with evidence of active exploitation dating back to mid-March 2025.

“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” Ivanti stated in their advisory.

The summary of the vulnerability is given below:

Risk FactorsDetailsAffected Products– Ivanti Connect Secure: 22.7R2.5 and prior- Pulse Connect Secure: 9.1R18.9 and prior (End-of-Support as of December 31, 2024)- Ivanti Policy Secure: 22.7R1.3 and prior- ZTA Gateways: 22.8R2 and priorImpactRemote Code Execution (RCE)Exploit Prerequisites– Remote, unauthenticated attack vector- Network-based attack- High attack complexity- No privileges requiredCVSS 3.1 Score9.0 (Critical)

Nation-State Exploitation Campaign

Security researchers at Google’s Mandiant have attributed the exploitation to UNC5221, a suspected China-nexus threat actor with a history of targeting edge devices. 

Following successful exploitation, researchers observed the deployment of two newly identified malware families:

TRAILBLAZE: An in-memory dropper used in the initial infection stage.

BRUSHFIRE: A passive backdoor designed for persistent access and espionage.

These tools allow attackers to maintain long-term access to compromised networks for data exfiltration and intelligence-gathering purposes. The campaign has reportedly targeted organizations across multiple countries and sectors.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog, mandating federal agencies to take immediate action.

For organizations using affected products, CISA and Ivanti recommend:

Conducting threat hunting using Ivanti’s Integrity Checker Tool (ICT).

Performing a factory reset for the highest level of confidence.

Applying the available patch immediately (Ivanti Connect Secure 22.7R2.6).

Disconnecting vulnerable Policy Secure and ZTA Gateways until patches become available on April 21 and April 19, respectively.

Revoking and reissuing all certificates, keys, and passwords if compromise is detected.

“For any instances of Ivanti Connect Secure that were not updated by February 28, 2025, to the latest Ivanti patch (22.7R2.6) and all instances of Pulse Connect Secure (EoS), Policy Secure, and ZTA Gateways, CISA urges users and administrators to implement [mitigation] actions,” the agency stated.

The Shadowserver Foundation’s global scan results highlight numerous organizations that remain vulnerable despite available patches and active exploitation. 

With threat actors continuing to target these devices, organizations must prioritize remediation efforts immediately to prevent unauthorized access and potential data breaches.

Application Security is no longer just a defensive play, Time to Secure -> Free Webinar

Related Posts

Apple has issued an urgent security advisory concerning three critical zero-day vulnerabilities CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085 that have been actively…

A recently identified vulnerability in the Brave browser has raised significant security concerns for its users. The issue, tracked as…

Security researchers have confirmed active exploitation attempts targeting the critical authentication bypass vulnerability in CrushFTP (CVE-2025-2825) following the public release…