Critical Vulnerability in Ivanti Connect Secure: What You Need to Know

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant vulnerability, CVE-2025-22457, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability affects Ivanti Connect Secure, Policy Secure, and ZTA Gateways, posing a serious threat to organizations utilizing these VPN and access solutions. As cyber threats continue to evolve, understanding this vulnerability and taking appropriate action is crucial for maintaining cybersecurity.

Understanding CVE-2025-22457

CVE-2025-22457 is classified as a stack-based buffer overflow (CWE-121) with a high Common Vulnerability Scoring System (CVSS) score of 9.0. This vulnerability allows remote unauthenticated attackers to execute arbitrary code, which can lead to severe consequences for affected systems. Specifically, it impacts several versions of Ivanti products:

• Ivanti Connect Secure: Versions 22.7R2.5 and earlier
• Pulse Connect Secure: Versions 9.1R18.9 and prior (End-of-Support since December 31, 2024)
• Ivanti Policy Secure: Versions 22.7R1.3 and prior
• ZTA Gateways: Versions 22.8R2 and prior

Ivanti has acknowledged this vulnerability and released a patch for Connect Secure (version 22.7R2.6) on February 11, 2025. Patches for Policy Secure and ZTA Gateways are scheduled for release on April 21 and April 19, respectively.

The Threat Landscape: Active Exploitation

CISA added CVE-2025-22457 to its KEV Catalog on April 4, 2025, following reports of active exploitation. The threat actor group UNC5221, known for targeting edge devices, has been linked to the exploitation of this vulnerability. They have deployed malware such as Trailblaze and Brushfire to gain persistent access and facilitate data theft.

The exploitation of this vulnerability reportedly began in mid-March 2025, shortly after UNC5221 reverse-engineered the February patch. This highlights the urgent need for organizations to update their systems promptly to mitigate potential risks.

CISA’s KEV Catalog serves as a vital resource for cybersecurity professionals, listing vulnerabilities that are actively exploited in the wild. The catalog currently contains 1,314 entries, and the inclusion of CVE-2025-22457 underscores the immediate threat it poses, with a mitigation deadline set for April 11, 2025.

Recommended Actions for Organizations

Organizations using Ivanti products must take immediate action to protect their systems from this critical vulnerability. Here are some recommended steps:

1. Threat Hunting: Utilize Ivanti’s Integrity Checker Tool (ICT) to detect any signs of compromise, such as web server crashes. Conduct thorough threat hunts on connected systems to identify any potential breaches.

2. Patch Management: If no compromise is detected, ensure that patches are applied as per Ivanti’s advisory. The patch for Connect Secure (22.7R2.6) is already available, while patches for Policy Secure and ZTA Gateways are forthcoming.

3. Monitoring and Auditing: Continuously monitor authentication services and audit privileged accounts to detect any unusual activity. Consider disconnecting vulnerable devices until they are patched.

4. Incident Response: If a compromise is confirmed, isolate affected devices immediately. Take forensic images, perform a factory reset with a clean image, and revoke and reissue all certificates, keys, and passwords, including admin and API credentials. Reset domain account passwords twice and revoke Kerberos tickets.

5. Reporting: Report any incidents to CISA at [email protected] or (888) 282-0870, as well as to Ivanti.

Conclusion

CVE-2025-22457’s addition to CISA’s KEV Catalog highlights the urgent need for organizations to address this critical vulnerability. With patches available for Connect Secure and forthcoming for other Ivanti products, organizations must act swiftly to mitigate risks posed by sophisticated threat actors like UNC5221. CISA’s guidance, combined with Ivanti’s updates, provides a clear path for securing systems and preventing further exploitation in an increasingly challenging cyber landscape.

As cyber threats continue to evolve, staying informed and proactive is essential for safeguarding organizational assets and data. Organizations should prioritize vulnerability management and ensure that their cybersecurity measures are robust and up to date.