Security researchers at Rapid7 have discovered a critical flaw in Ivanti’s Connect Secure VPN appliances that could lead to remote code execution, raising the urgency for organizations to apply available patches. The exploit code was made public shortly after Mandiant identified in-the-wild exploitation of the Ivanti bug (CVE-2025-22457) by a Chinese hacking group known for targeting edge network devices.
While the vulnerability was patched in February, Ivanti initially categorized it as a “product bug” and did not assign a CVE identifier or provide public documentation. It wasn’t until Mandiant uncovered the Chinese hacking campaign that Ivanti acknowledged the issue and issued an advisory with details on how to address it.
According to Ivanti, the vulnerability initially seemed non-exploitable as remote code execution and fell short of causing denial of service. However, further investigation revealed that the flaw could be exploited through sophisticated methods, leading to active exploitation in the wild. Ivanti urged all customers to update to version 22.7R2.6 of Connect Secure to mitigate the vulnerability.
Rapid7 researchers later warned that attackers could leverage carefully crafted HTTP headers to escalate the exploit from a simple crash to complete remote code execution. Their technical analysis revealed that the vulnerability stemmed from an unchecked buffer overflow in the HTTP(S) web server component of Ivanti Connect Secure software. By manipulating the length of the “X-Forwarded-For” header value, attackers could trigger an overflow that overwrote key parts of the stack.
The researchers emphasized that state-sponsored threat actors are actively reverse-engineering vendor patches for prominent software targets and exploiting vulnerabilities that have not been publicly disclosed. They noted that it took approximately four business days to move from an initial crash to achieving remote code execution.
The severity score for the vulnerability is rated at 9/10, affecting Ivanti Connect Secure versions 22.7R2.5 and earlier, as well as end-of-support Pulse Connect Secure 9.x. Ivanti plans to release patches for Policy Secure and ZTA Gateways to address the issue, with the former scheduled for release on April 21 and the latter on April 19.
Organizations are advised to update to Connect Secure version 22.7R2.6 promptly and migrate away from unsupported Pulse Connect Secure appliances to mitigate the risks associated with the vulnerability. Both Rapid7 and Ivanti recommend checking for web server crashes as an indicator of attempted exploitation, as the exploit relies on brute-forcing an address of a shared object library in the web server process.
The ongoing threat posed by the vulnerability underscores the need for robust cybersecurity measures and prompt patching to safeguard against potential exploits. Stakeholders in the cybersecurity ecosystem are closely monitoring the situation and working towards enhancing defenses to thwart malicious actors seeking to exploit vulnerabilities in critical infrastructure.
For further insights and updates on this evolving cybersecurity issue, stay tuned to SecurityWeek and related sources for the latest developments and recommendations on protecting organizational assets from emerging threats in the digital landscape.