Summary

On April 3, 2025, Ivanti disclosed CVE-2025-22457 that impacts Ivanti Connect Secure VPN appliances, PulseConnect Secure(end of service), Ivanti Policy Secure, and ZTA Gateways. The vulnerability requires network access to the impacted appliances. CVE-2025-22457 is a buffer overflow vulnerability, that when properly exploited, can result in remote code execution. This is a critical rated vulnerability that has seen some exploitation in the wild since mid-March; however exploitation has only been observed for Ivanti Connect Secure and Pulse Connect Secure9.1x, which is currently end of service. Early attribution points towards it being conducted primarily by the China-nexus espioange actor UNC5221, who is known for their exploitation of zero-days on edge appliances. Ivanti encourages anyone running impacted version to update as soon as possible.

Affected Systems and/or Applications

Technical Details

CVE-2025-22457 is a buffer overflow vulnerability executed when attackers have network access to the vulnerable appliance. The patch for it was initially released on February 11; however at the time it was determined to be low-risk denial of service, due to it being an overflow with a limited character space. It has since been upgraded to a critical remote code execution. Ivanti and Mandiant have been able to identify evidence of it being exploited publicly. The exploitation so far is limited to Ivanti Connect Secure(ICS) and Pulse Connect Secure(PCS). It is important to note that PCS is currently in end of service so no patch is available, and requires migration to protect against it. After a successful exploitation a shell script dropper has been seen, typically targeting a running/home/bin/web process. After the dropper: files are created, executed, and then cleaned up. It was found that all the behavior is non-persistent, resulting in the dropper needing to be executed again if the process or system is rebooted.

Mitigation & Recommendations

• Immediate Upgrade: Upgrade to one of the below versions, or in the case of Pulse Connect Secure, amigration is required.

• Temporary Mitigations: Restricting access to the management interface to trusted IP’s is recommended, andis a best practice to do when possible.
• Integrity Tool Checker(ICT): It is recommended to utilize the ICT to look for signs of compromise andadditionally to look for server crashes. If activity is seen reach out to Ivanti support. Additionally a factoryreset can be performed on the appliance, and then placed back into production using version 22.7R2.6.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Immediate action is requiredto mitigate potential exploitation by applying patches, restricting access, and enhancing security monitoring.Organizations should prioritize these measures to safeguard their edge devices against potential threats.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are foundwithin the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
• https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
• https://www.cve.org/CVERecord?id=CVE-2025-22457