In April 2025, Ivanti disclosed a critical vulnerability—CVE-2025-22457—affecting multiple enterprise security products, including Ivanti Connect Secure, Policy Secure, and ZTA Gateway. With a CVSS score of 9.0, this high-severity vulnerability has been observed under active exploitation in the wild.
Overview of CVE-2025-22457
CVE-2025-22457 is a stack-based buffer overflow vulnerability that allows unauthenticated attackers to perform remote code execution. This vulnerability could give threat actors the ability to compromise entire systems, exfiltrate sensitive data, and disable security services.
Affected Products
- Ivanti Connect Secure: Versions up to 22.7R2.5
- Ivanti Policy Secure: Versions up to 22.7R1.3
- ZTA Gateways: Versions up to 22.8R2
- Pulse Connect Secure (EoL): Versions up to 9.1R18.9
Ivanti released a patch for Connect Secure on February 11, 2025 (version 22.7R2.6). Patches for ZTA Gateways and Policy Secure are scheduled for April 19 and April 21, 2025, respectively (source).
Exploitation in the Wild
The vulnerability has been actively exploited by a threat actor group known as UNC5221. Their campaign utilizes a custom malware toolkit including components named TRAILBLAZE, BRUSHFIRE, and SPAWN, enabling persistence and covert control of compromised systems (source).
These components allow attackers to maintain long-term unauthorized access, steal credentials, and potentially pivot deeper into enterprise networks.
Recommended Mitigation Steps
To reduce exposure and defend against active exploitation, Ivanti and cybersecurity authorities recommend the following:
1. Patch Immediately
Upgrade to fixed versions:
- Connect Secure: 22.7R2.6 or later
- ZTA Gateway: Apply the patch upon its release (April 19, 2025)
- Policy Secure: Patch as soon as the update is released (April 21, 2025)
Stay current via Ivanti’s official advisory page.
2. Scan for Indicators of Compromise
Use Ivanti’s Integrity Checker Tool (ICT) to assess whether any compromise has occurred. If so, perform a factory resetand redeploy systems only after full remediation (CISA alert).
3. Restrict Interface Access
Limit access to administration panels and management interfaces to trusted internal networks. Avoid exposing these interfaces to the internet.
4. Monitor Network Traffic
Implement behavioral detection tools and log analysis to spot suspicious activity related to lateral movement or malware deployment.
5. Reset Credentials and Certificates
Revoke and reissue:
- Administrator passwords
- VPN session tokens
- Certificates and API keys
This is essential if compromise is detected or suspected (CISA guidance).
Broader Context: A Pattern of Ivanti Vulnerabilities
This vulnerability follows closely after the discovery of CVE-2024-21893, a server-side request forgery (SSRF) in the SAML component of Ivanti’s products. CVE-2024-21893 allowed unauthenticated attackers to access internal resources and deploy web shells, showcasing a recurring security challenge within the Ivanti ecosystem.
Final Thoughts
CVE-2025-22457 underscores the ongoing importance of timely patching, layered defense, and vigilant system monitoring. Organizations relying on Ivanti’s security infrastructure must treat this vulnerability as a critical priority, especially in light of confirmed in-the-wild exploitation. By acting quickly and decisively, administrators can mitigate risk and protect their networks from further compromise.
