A detailed technical analysis has been published regarding CVE-2025-22457, an unauthenticated remote code execution (RCE) vulnerability impacting several Ivanti products.

The vulnerability was recently exploited in the wild by a suspected China-nexus threat actor, affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways.

The vulnerability exists in the HTTP(S) web server binary (/home/bin/web) and involves a stack-based buffer overflow when processing an X-Forwarded-For header. 

Rapid7’s security researchers were able to develop a working remote code execution exploit in approximately four business days.

The vulnerability’s exploitation is particularly interesting due to its complexity:

As shown in the code above, a fixed 50-byte buffer is used to store header values, but no proper length check is performed. 

The function only counts characters that are digits or periods, creating a unique exploitation constraint where attackers can only use the characters 0-9 and “.” in the overflow payload.

Exploitation Technique

Researchers overcome this limitation through a sophisticated heap spray technique that:

Forces the target to allocate large amounts of attacker-controlled memory (~2.3GB) via the IF-T/TLS transport mechanism.

Consumes address space to force heap allocations at predictable low addresses (e.g., 0x39393930).

Overwrites a context variable pointer to redirect to the attacker-controlled heap memory.

The exploit then takes advantage of a series of pointer dereferences to achieve arbitrary code execution through a Return-Oriented Programming (ROP) chain, executing shell commands via the vulnerable application.

The exploit bypasses Address Space Layout Randomization (ASLR) through a brute-force approach, leveraging the fact that the target system only uses 9 bits of entropy. This means a successful attack can be achieved in approximately 512 attempts or fewer.

Patches Released

Ivanti released patches for Ivanti Connect Secure (version 22.7R2.6) on February 11, 2025. Patches for Ivanti Policy Secure (22.7R1.4) and ZTA Gateways (22.8R2.2) are scheduled for release on April 21 and April 19, 2025, respectively. 

Pulse Connect Secure has reached end-of-support, and users are advised to migrate to the latest version of Ivanti Connect Secure.

This disclosure highlights an alarming asymmetry between threat actors’ capabilities and vendors’ security assessment processes. 

State-sponsored actors are actively reverse-engineering patches for high-profile software, identifying silently patched vulnerabilities, and developing complex exploits against them. 

Organizations using affected Ivanti products should apply patches immediately or implement recommended mitigations while awaiting patches.

A proof-of-concept exploit has been published on GitHub, making immediate remediation critical for vulnerable systems.

Application Security is no longer just a defensive play, Time to Secure -> Free Webinar