Thousands of Ivanti VPNs are at risk due to a critical flaw being exploited.
In a recent development, Ivanti has released a patch to address a critical stack-based buffer overflow vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure and other related products. This vulnerability, discovered in February 2025, allows arbitrary code execution and poses a significant risk to organisations using affected versions of Ivanti products.
Ivanti strongly advises affected organisations to apply the February 2025 updates or later versions of their Ivanti products to mitigate this vulnerability. Upgrading to the latest supported product versions is also recommended, as older versions, including some Pulse Connect Secure versions, remain vulnerable.
The patch deployment should be carried out in accordance with Ivanti’s specific remediation instructions. The vulnerability has been actively exploited in the wild by threat actors deploying advanced malware and post-exploitation tools. As such, organisations should monitor for indicators of compromise such as unusual DLL side-loading, in-memory Cobalt Strike payloads, and anomalous network scanning activities associated with this vulnerability’s exploitation.
In addition to patching, organisations are encouraged to implement enhanced monitoring to detect exploitation attempts and prevent lateral movement within their networks. Verifying effective patch deployment and minimizing attack surface by disabling unneeded services or interfaces is also advised.
It is important to note that CVE-2025-22457 has only been exploited against Ivanti Connect Secure VPN devices, according to Ivanti and Mandiant. However, the vulnerability also affects other products like Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways.
Ivanti has released a patch for Ivanti Connect Secure with version 22.7R2.6, but many affected devices are older Pulse Connect Secure 9.x versions without a patch. The Cybersecurity and Infrastructure Security Agency has added CVE-2025-22457 to its known exploited vulnerabilities catalog.
As of April 6, Shadowserver found 5,113 vulnerable Ivanti Connect Secure instances, with the majority located in the U.S., Japan, and China. There has been a slight drop in vulnerable devices to 5,027 as of Monday, according to Shadowserver. A patch for Ivanti ZTA Gateways is scheduled to be released on April 19.
Ivanti cannot guide customers to stay on an unsupported version of Pulse Connect Secure; customers must migrate to a secure platform. Organisations are reminded to consult Ivanti’s official support channels and security advisories for precise patch files or detailed remediation guides.
The risk of exploitation against Ivanti Policy Secure is greatly reduced as it is not intended to be internet-facing. Mandiant later discovered exploitation activity on CVE-2025-22457 involving China-nexus actors achieving remote code execution on vulnerable VPNs. Ivanti ZTA Gateways are not vulnerable to CVE-2025-22457 while in production. However, if an Ivanti ZTA Gateway is generated and left unconnected to a ZTA controller, it may be at risk of exploitation.
In conclusion, prompt patching using Ivanti’s February 2025 security updates and maintaining current product versions is essential, while also adopting enhanced monitoring to detect exploitation attempts and prevent lateral movement within your network. Staying on the latest version with all security updates is crucial to remain protected.
- Given the recent vulnerability, CVE-2025-22457, discovered in Ivanti Connect Secure and other related products in February 2025, organizations should promptly apply the February 2025 updates or later versions to mitigate the risk of arbitrary code execution.
- organisation's cybersecurity strategy should not only focus on patching but also implementing enhanced monitoring to detect exploitation attempts and prevent lateral movement within their networks, as the discovered vulnerability has been actively exploited in the wild.
- As CVE-20225-22457 affects not only Ivanti Connect Secure but also other Ivanti products like Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways, it is essential to review and update all affected technologies to ensure optimal cybersecurity.
