The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm on a newly identified critical vulnerability in Ivanti Connect Secure, a popular VPN solution.This alarming issue, recorded as CVE-2025-22457, has swiftly found its way into the Known Exploited Vulnerabilities (KEV) Catalog. Since mid-March of the current year, this vulnerability has been actively exploited, enabling remote and unauthenticated attackers to execute arbitrary code.This state of affairs brings a significant risk to organizations relying on these VPN solutions to secure their networks.
Vulnerability Details
CVE-2025-22457 is a formidable security concern featuring a stack-based buffer overflow (CWE-121), carrying a high CVSS score of 9.0. This severity rating underscores the critical nature of this vulnerability, as it allows attackers to execute code remotely without any need for authentication. The scope of impact is extensive, affecting several versions of Ivanti products including Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and earlier), Ivanti Policy Secure (versions 22.7R1.3 and prior), and ZTA Gateways (versions 22.8R2 and prior).Patch availability was announced in February for Ivanti Connect Secure with version 22.7R2.6. However, patches for other affected products, including Ivanti Policy Secure and ZTA Gateways, are set to roll out by April 21 and April 19, respectively. This timing highlights the critical need for organizations using these products to prioritize updates and mitigate potential risks associated with this vulnerability.When a vulnerability with a CVSS score of 9.0 surfaces, immediate attention is necessary. The stack-based buffer overflow nature of CVE-2025-22457 puts sensitive data and critical infrastructure at risk of being compromised by malicious actors.This vulnerability’s exploitation could have wide-reaching repercussions for organizations that fail to update their systems promptly.
Active Exploitation
The inclusion of CVE-2025-22457 in the CISA KEV Catalog on April 4, 2025, underscores the significance of this vulnerability’s active exploitation. Reports indicate that exploitation began in mid-March, likely prompted by the actions of UNC5221. This group, notorious for targeting edge devices, has deployed malware varieties such as Trailblaze and Brushfire, threatening persistent access and valuable data theft.
UNC5221’s tactic involves reverse-engineering security patches, a method allowing them to exploit vulnerabilities promptly.This points to a crucial lesson for all organizations: the urgency of patching systems as soon as updates become available. The timely action can prevent potential breaches and safeguard crucial data.
With the availability of CISA’s KEV Catalog in various formats (CSV, JSON, print), cybersecurity professionals have a vital resource for identifying vulnerabilities exploited in the wild.CVE-2025-22457’s addition to this catalog highlights its substantial risk, urging organizations to expedite their mitigation measures. CISA has set an April 11, 2025, deadline for these actions, alongside its BOD 22-01 guidance, which offers comprehensive strategies for enhancing vulnerability management in cloud services.
Recommended Actions
Organizations are advised to initiate threat hunting activities using Ivanti’s Integrity Checker Tool (ICT). This involves detecting signs of compromise such as web server crashes. Conducting thorough threat hunts on connected systems ensures that potential risks are identified and mitigated before causing significant damage.
In cases where no compromise is detected, it is recommended to conduct a factory reset using a clean image for cloud or virtual systems while applying the necessary patches as per Ivanti’s advisory.Monitoring authentication services and auditing privileged accounts are crucial steps to ensure the ongoing security of the system. In some cases, temporarily disconnecting vulnerable devices until patches are applied might be a prudent move.
When compromise is confirmed, immediate isolation of affected devices is necessary. This should be followed by taking forensic images or coordinating with Ivanti for further analysis.A factory reset with a clean image helps in re-securing the system. Additionally, revoking and reissuing certificates, keys, and passwords, including admin and API credentials, and resetting domain account passwords twice, are essential actions. Disabling cloud-joined devices, applying the relevant patches, and reporting the incident to CISA and Ivanti constitute a comprehensive response plan.
Conclusion: Urgent Measures in Cybersecurity
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded an urgent alarm regarding a newly found critical vulnerability in Ivanti Connect Secure, a widely used VPN solution. This serious flaw, designated as CVE-2025-22457, has been promptly added to the Known Exploited Vulnerabilities (KEV) Catalog.Since March of this year, this vulnerability has been actively targeted by malicious actors, who are using it to execute arbitrary code without the need for authentication. This situation presents a substantial threat to organizations that depend on these VPN solutions to protect their networks. Organizations must immediately take action to mitigate this threat, patch affected systems, and review their security measures to avoid potential breaches. By addressing this critical flaw, businesses can reduce the risk of severe cybersecurity incidents that could compromise sensitive data. With cyber threats evolving rapidly, it is crucial for organizations to stay vigilant and keep their defenses updated.