Ivanti, a prominent provider of VPN and network access solutions, recently issued an urgent security advisory for CVE-2025-22457, a critical vulnerability affecting several of its products, including Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. This vulnerability, with a CVSS score of 9.0, has been actively exploited by cybercriminals since mid-March 2025, presenting a significant threat to organizations utilizing these services.
The vulnerability, disclosed on April 3, 2025, has been under attack since mid-March, as confirmed by cybersecurity firm Mandiant. The attacks have been attributed to UNC5221, a suspected state-sponsored hacking group from China that has a history of targeting edge devices with sophisticated malware. UNC5221 has been linked to past zero-day exploits involving Ivanti products, such as CVE-2023-46805. The group utilizes various malware tools like Trailblaze, Brushfire, and Spawn suite to carry out their malicious activities, while also employing evasion techniques like SPAWNSLOTH to avoid detection.
Initially, the vulnerability was addressed in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025, although it was considered a low-risk denial-of-service issue at that time due to limited character set restrictions. However, UNC5221 is believed to have reverse-engineered the patch and developed a remote code execution (RCE) exploit for unpatched systems, significantly escalating the severity of the vulnerability.
The CVE-2025-22457 vulnerability is a stack-based buffer overflow (CWE-121) that allows remote, unauthenticated attackers to execute arbitrary code on affected systems. The flaw stems from inadequate input validation, enabling attackers to overflow the buffer and execute malicious code. Ivanti has emphasized that the vulnerability was fully patched in Ivanti Connect Secure with the release of version 22.7R2.6.
In response to the active exploitation of this vulnerability, Ivanti has provided remediation steps for affected customers. Users of Ivanti Connect Secure are advised to upgrade to version 22.7R2.6 and, if compromised, perform a factory reset and redeploy with the updated version. For customers using Pulse Connect Secure, which is an unsupported product, Ivanti recommends reaching out to migrate to a secure platform. Additionally, patches for Ivanti Policy Secure and ZTA Gateways will be released on April 21 and April 19, respectively, to address the vulnerability.
To detect potential compromises, Ivanti suggests using the Integrity Checker Tool (ICT) to monitor for indicators such as web server crashes. Detection of compromise should prompt users to perform a factory reset and upgrade to the latest patched version. Mandiant’s blog offers further insights and indicators of compromise related to the CVE-2025-22457 vulnerability.
The active exploitation of this vulnerability underscores the ongoing security challenges faced by organizations in securing their edge devices. With threat actors like UNC5221 targeting such vulnerabilities for espionage purposes, organizations must prioritize timely patching and secure configurations to mitigate risks. The incident also highlights the importance of faster threat intelligence sharing and proactive cybersecurity measures in the face of evolving cyber threats.
As the cybersecurity landscape continues to evolve rapidly, organizations must remain vigilant and proactive in addressing vulnerabilities and implementing robust security measures to protect their networks and data from malicious actors. Through timely patching, ongoing monitoring, and adherence to best practices, organizations can enhance their resilience against cybersecurity threats.