Ivanti Connect Secure RCE Vulnerability Actively Exploited in the Wild – Apply Patch Now!

Ivanti has disclosed a critical vulnerability, CVE-2025-22457, affecting its Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways products that are actively exploited in the wild.

This stack-based buffer overflow flaw, with a CVSS score of 9.0, has been actively exploited since mid-March 2025, posing significant risks to organizations using these VPN and network access solutions.

CVE-2025-22457 is a stack-based buffer overflow (CWE-121) that allows a remote, unauthenticated attacker to achieve remote code execution (RCE).

The flaw arises from improper input validation, enabling attackers to overflow the buffer and execute arbitrary code.

• Ivanti Connect Secure: Versions 22.7R2.5 and earlier.
• Pulse Connect Secure: Versions 9.1R18.9 and prior (End-of-Support as of December 31, 2024).
• Ivanti Policy Secure: Versions 22.7R1.3 and prior.
• ZTA Gateways: Versions 22.8R2 and prior.

“This advisory has been updated to make it clear the vulnerability was fully patched in Ivanti Connect Secure” Ivanti Said.

CVE-2025-22457 Exploitation in the Wild

Ivanti disclosed the vulnerability on April 3, 2025, but Mandiant reports exploitation by UNC5221, a suspected Chinese state-sponsored group, since mid-March. UNC5221, known for targeting edge devices, has previously exploited Ivanti zero-days like CVE-2023-46805.

Attackers use CVE-2025-22457 to deploy malware such as Trailblaze (an in-memory dropper), Brushfire (a passive backdoor), and the Spawn suite for credential theft and lateral movement. Post-exploitation, they tamper with logs using tools like SPAWNSLOTH to evade detection.

The vulnerability was patched in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025, initially considered a low-risk denial-of-service issue due to its limited character set (periods and numbers).

However, UNC5221 likely reverse-engineered the patch, developing an RCE exploit for unpatched systems, escalating its severity.

Affected Systems and Patch Availability

Ivanti confirmed that a limited number of customers running Ivanti Connect Secure (22.7R2.5 or earlier) and Pulse Connect Secure 9.1x appliances were compromised. Details include:

• Ivanti Connect Secure: Upgrade to version 22.7R2.6, available at Ivanti’s portal. If compromised, perform a factory reset and redeploy with 22.7R2.6.
• Pulse Connect Secure: Contact Ivanti to migrate, as this product is unsupported since December 31, 2024.
• Ivanti Policy Secure: A patch (version 22.7R1.4) will be available on April 21, 2025. No exploitation has been observed, and risk is reduced as it’s not internet-facing.
• ZTA Gateways: A patch (version 22.8R2.2) will auto-apply on April 19, 2025. Risk exists only for unconnected gateways; no exploitation has been reported.

Detection and Mitigation

Ivanti recommends monitoring the Integrity Checker Tool (ICT) for signs of compromise, such as web server crashes. If detected, a factory reset and upgrade to 22.7R2.6 are advised. Mandiant’s blog provides additional indicators of compromise. A post on X by

@nekono_naha on April 4, 2025, noted that of 12,471 exposed Ivanti/Pulse Connect Secure servers, 66% (8,246) are vulnerable, with 50% (6,049) on pre-9.x versions, highlighting the urgency of patching.

This incident marks Ivanti’s 15th appearance in CISA’s Known Exploited Vulnerabilities catalog since 2024, signaling systemic security challenges with its edge devices.

UNC5221’s involvement underscores the geopolitical stakes, as China-linked actors increasingly target infrastructure for espionage. The delayed disclosure despite the February patch reveals gaps in vulnerability management.

Initially underestimated as a low-risk issue, the flaw’s exploitability allowed attackers a month-long window before public disclosure, emphasizing the need for faster threat intelligence sharing.

Recommendations for Organizations

Organizations should act swiftly:

1. Patch Immediately: Upgrade to Ivanti Connect Secure 22.7R2.6 or migrate from Pulse Connect Secure.
2. Monitor for Compromise: Use ICT to detect exploitation and reset if needed.
3. Limit Exposure: Ensure Policy Secure and ZTA Gateways are not internet-facing.
4. Enhance Monitoring: Watch for unusual activity like outbound connections or log tampering.
5. Stay Informed: Check Ivanti’s advisory and Mandiant’s blog for updates.

The exploitation of CVE-2025-22457 highlights the persistent threats to network edge devices. As state-sponsored actors like UNC5221 target such vulnerabilities, organizations must prioritize timely patching and secure deployment.

Ivanti’s response addresses supported versions, but legacy systems remain a challenge, underscoring the need for robust cybersecurity practices in an evolving threat landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates