Exploited Vulnerability in Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateway

CVE-2025-22457 could lead to remote code execution and has been exploited in the wild

Threat ID:: CC-4641
Threat Severity:: High
Published:: 4 April 2025 12:56 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-22457 could lead to remote code execution and has been exploited in the wild

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 22.7R2.6

Ivanti Connect Secure

Versions: 9.1R18.9 and earlier [End-of-support]

Pulse Connect Secure

Versions: All prior to 22.7R1.4

Ivanti Policy Secure

Versions: All prior to 22.8R2.2

Ivanti Neurons for Zero Trust Access

Threat details

Ivanti Pulse Connect Secure is End-of-Support

Ivanti has stated Pulse Connect Secure appliances are End-of-support as of 31 December 2024 and will not receive patches. Ivanti has observed exploitation of CVE-2025-22457 against Pulse Connect Secure appliances.

Organisations that wish to upgrade from the Pulse Secure Applicance platform to the Ivanti Connect Appliance platform should review Ivanti's Frequently Asked Questions or contact Ivanti directly.

Exploitation of CVE-2025-22457

Ivanti and security researchers have stated that CVE-2025-22457 is being actively exploited in the wild. The NHS England National Cyber Security Operations Centre (CSOC) assesses further exploitation as highly likely.

Introduction

Ivanti has released a security advisory to address a critical vulnerability in Connect Secure, Policy Secure, Pulse Connect Secure, and ZTA Gateways. Recent research by Ivanti and security partners has shown remote code execution (RCE) is achievable and Ivanti is aware CVE-2025-22457 is being actively exploited in the wild. CVE-2025-22457 was previously addressed in Ivanti's February 2025 updates for Connect Secure.

CVE-2025-22457 is a 'stack-based buffer overflow' vulnerability with a CVSSv3 score of 9.0. If exploited, an unauthenticated attacker could perform RCE.

Remediation advice

Affected organisations must review the Ivanti Security Advisory and must complete any required actions detailed below before marking this high severity Cyber Alert as complete.

Note: Patches for Ivanti Neurons for ZTA Gateways and Ivanti Policy Secure are not expected to be released until 19 April 2025 and 21 April 2025 respectively.

Remediation steps

Type	Step
Action	Affected organisations must run an internal and external scan using Ivanti's Integrity Checker Tool (ICT) to detect evidence of compromise. Note: Running the ICT will require a restart of gateway appliances. If evidence of exploitation is detected, before completing any other steps organisations must immediately report this to the NHS England National Cyber Security Operations Centre (CSOC) by calling 0300 303 5222 or emailing [email protected]. If evidence of compromise is detected, Ivanti strongly recommends affected organisations perform a factory reset on the appliance. https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
Patch	Ivanti Connect Secure Affected organisations must apply version 22.7R2.6 (released February 2025). https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
Action	Pulse Connect Secure Affected organisations must stop using Pulse Connect Secure and must find an alternative, supported platform. Organisations wishing to migrate to an in-support Ivanti platform are encouraged to contact Ivanti directly. https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
Guidance	Policy Secure Affected organisations are strongly encouraged to apply version 22.7R1.4 as soon as patches are available. Note: Patches for Policy Secure are not expected until 21 April 2025. This Cyber Alert will be updated when patches are available. https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
Aware	ZTA Gateways Ivanti will automatically apply a patch on 19 April 2025. No action is required. https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
Aware	Organisations are also encouraged to review Mandiant's blog post detailing observed exploitation activity. Indicators of compromise and hunting queries are also provided. https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-22457

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Last edited: 4 April 2025 12:56 pm