Ivanti has released a patch for a critical vulnerability identified as CVE-2025-22457, which affects several of its security products, including Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. This stack-based buffer overflow vulnerability could lead to unauthenticated remote code execution (RCE) and has been assigned a CVSS score of 9.0, reflecting its severity. According to Mandiant and the Google Threat Intelligence Group (GTIG), the vulnerability has already been actively exploited by the Chinese threat actor group UNC5221 as of March 2025, further amplifying the risk. This post examines the affected versions, potential impacts, and CTI-driven strategies to monitor and defend against the exploitation of this flaw.
Overview of VPN Vulnerability CVE-2025-22457
CVE-2025-22457 is a stack-based buffer overflow vulnerability affecting Ivanti’s Connect Secure, Policy Secure, and ZTA Gateways. An attacker can exploit this vulnerability by sending a crafted HTTP request containing an overly long X-Forwarded-For header, triggering the overflow and enabling remote code execution (RCE). Disclosed on April 3, the vulnerability has reportedly already been exploited by the Chinese threat group UNC5221 to distribute malware.
The vulnerability was initially discovered in February 2025 in Ivanti Connect Secure version 22.7R2.6. At the time, it was considered a low-risk Denial-of-Service (DoS) bug, and a patch was promptly released. However, threat actors later analyzed the patch and weaponized the vulnerability into an RCE exploit. Ivanti subsequently disclosed it as CVE-2025-22457. Shortly after its publication, CISA (Cybersecurity and Infrastructure Security Agency) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommended immediate action.
A patch forConnect Secure is already available, while updates for Policy Secure and ZTA Gateways are scheduled for release on April 19 and April 20, respectively. As such, organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface.
Affected Versions
- Ivanti Connect Secure: 22.7R2.5 and earlier
- Pulse Connect Secure (EoS): 9.1R18.9 and earlier
- Ivanti Policy Secure: 22.7R1.3 and earlier
- ZTA Gateways: 22.8R2 and earlier
Security Threats from CVE-2025-22457
Exploitation of this vulnerability could lead to severe consequences:
- Remote Code Execution (RCE) Without Authentication
- An attacker can execute arbitrary code on the server using only a malicious HTTP request, without authentication.
- Ivanti devices may be leveraged as distribution points for malware.
- Deployment of Custom Backdoors and Rootkits
- The Chinese APT group UNC5221 has a known history of deploying backdoors for purposes such as log manipulation, data exfiltration, and the insertion of additional malware.
- Expansion of the Attack Surface
- Externally exposed Ivanti devices can be used as entry points for lateral movement within internal networks, credential theft, and data breaches.
- Threat to Zero Trust Models
- Even modern Zero Trust security devices like ZTA Gateways are affected by this vulnerability, indicating that the final line of defense may be breached.
- Persistent Exposure Due to Patch Delays
- It is believed that attackers weaponized the vulnerability into an RCE exploit through reverse engineering even before the official patch was released.
- Systems that are not promptly patched or monitored may remain under continuous threat.
Given the severity of the potential impact, users must promptly apply patches and continuously monitor their attack surface to mitigate the risks associated with CVE-2025-22457.
CTI-Based Attack Surface Monitoring: Exposed Ivanti Connect Secure Detection
Publicly accessible Ivanti Connect Secure devices can be quickly identified using Criminal IP Asset Search.
Criminal IP Search Query: title: “Pulse Connect Secure”
As of April 15, 2025, a total of 1,350 Pulse Connect Secure instances were found exposed to the internet. Pulse Connect Secure is not only affected by CVE-2025-22457, but it is also a service that has reached end-of-support from Ivanti. Therefore, it is critical to migrate to the latest version of Ivanti Connect Secure as soon as possible. Continuing to use an unsupported version means that no patches will be provided for newly discovered vulnerabilities, significantly increasing the likelihood of the previously mentioned security threats.
Criminal IP Search Query: title: “Ivanti Connect Secure”
As of April 15, 2025, more than 190,000 Ivanti Connect Secure instances were exposed to the internet. Since it is fundamentally a VPN solution, a large number of Ivanti devices are expected to be publicly accessible. However, many of the IPs associated with these devices were found to have multiple vulnerabilities. In one case, an IP was identified with as many as 132 CVEs. The discovery of 132 CVEs on a single IP indicates that patching has been severely neglected, and from an attacker’s perspective, this environment presents numerous opportunities for exploitation—making it extremely vulnerable to attacks.
FAQ
Q1. Why are Ivanti Connect Secure devices exposed in a vulnerable state?
Ivanti Connect Secure is an SSL VPN solution, which is typically connected to the internet to allow external user access. However, if access restrictions for management or API ports are omitted after installation, or if DMZ firewall policies are misconfigured, the administrative portal may become accessible from the internet. In addition, continuing to use end-of-support devices like Pulse Connect Secure increases the likelihood of them being left in a vulnerable state, as no further security updates are provided to address new vulnerabilities.
Due to these technical and operational factors, Ivanti Connect Secure devices can become exposed to the internet.
Q2. How can organizations prevent the exploitation of this vulnerability?
Preventive measures should include both technical controls and operational practices. Given the role of Ivanti as a remote access gateway at the enterprise boundary, exploitation could lead to full-scale breaches.
Key mitigation strategies include:
- Applying the latest security patches
- Minimizing exposed attack surfaces (ASM)
- Regular integrity checks using ICT tools
- Real-time monitoring integrated with Threat Intelligence (TI)
- Strengthening authentication and access control
- Automating asset discovery and vulnerability scanning
Conclusion
The Ivanti VPN vulnerability CVE-2025-22457 is a critical security issue that can threaten the security of an entire enterprise network. Especially given the nature of the devices used for remote access, even a single missed patch can become a target for APT groups. In fact, among Ivanti devices exposed to the internet, there have been cases where more than 100 vulnerabilities (CVEs) were detected, and if left unaddressed, attackers could exploit them to bypass authentication, insert malware, and penetrate internal networks, resulting in widespread organizational damage. Therefore, organizations must respond proactively by immediately applying patches, managing their attack surface, conducting ICT integrity checks, detecting threats based on CTI, and identifying exposed assets while strengthening access controls. In particular, organizations that continue to use end-of-support (EoS) products like Pulse Connect Secure should urgently migrate to the latest version of Ivanti Connect Secure.
In relation to this, you can refer to Next.js Middleware Vulnerability Allows Authentication Bypass: Over 520K Assets at Risk.
Source: Criminal IP (https://www.criminalip.io/), Ivanti (https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US), NIST (https://nvd.nist.gov/vuln/detail/CVE-2025-22457), Bleeping Computer (https://www.bleepingcomputer.com/news/security/ivanti-patches-connect-secure-zero-day-exploited-since-mid-march/), CISA (https://www.cisa.gov/news-events/alerts/2025/04/04/ivanti-releases-security-updates-connect-secure-policy-secure-zta-gateways-vulnerability-cve-2025)
Related article: