CISA Alerts on Critical Ivanti Connect Exploit in VPN Systems

Article Highlights
Off On

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm on a newly identified critical vulnerability in Ivanti Connect Secure, a popular VPN solution.This alarming issue, recorded as CVE-2025-22457, has swiftly found its way into the Known Exploited Vulnerabilities (KEV) Catalog. Since mid-March of the current year, this vulnerability has been actively exploited, enabling remote and unauthenticated attackers to execute arbitrary code.This state of affairs brings a significant risk to organizations relying on these VPN solutions to secure their networks.

Vulnerability Details

CVE-2025-22457 is a formidable security concern featuring a stack-based buffer overflow (CWE-121), carrying a high CVSS score of 9.0. This severity rating underscores the critical nature of this vulnerability, as it allows attackers to execute code remotely without any need for authentication. The scope of impact is extensive, affecting several versions of Ivanti products including Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and earlier), Ivanti Policy Secure (versions 22.7R1.3 and prior), and ZTA Gateways (versions 22.8R2 and prior).Patch availability was announced in February for Ivanti Connect Secure with version 22.7R2.6. However, patches for other affected products, including Ivanti Policy Secure and ZTA Gateways, are set to roll out by April 21 and April 19, respectively. This timing highlights the critical need for organizations using these products to prioritize updates and mitigate potential risks associated with this vulnerability.When a vulnerability with a CVSS score of 9.0 surfaces, immediate attention is necessary. The stack-based buffer overflow nature of CVE-2025-22457 puts sensitive data and critical infrastructure at risk of being compromised by malicious actors.This vulnerability’s exploitation could have wide-reaching repercussions for organizations that fail to update their systems promptly.

Active Exploitation

The inclusion of CVE-2025-22457 in the CISA KEV Catalog on April 4, 2025, underscores the significance of this vulnerability’s active exploitation. Reports indicate that exploitation began in mid-March, likely prompted by the actions of UNC5221. This group, notorious for targeting edge devices, has deployed malware varieties such as Trailblaze and Brushfire, threatening persistent access and valuable data theft.

UNC5221’s tactic involves reverse-engineering security patches, a method allowing them to exploit vulnerabilities promptly.This points to a crucial lesson for all organizations: the urgency of patching systems as soon as updates become available. The timely action can prevent potential breaches and safeguard crucial data.

With the availability of CISA’s KEV Catalog in various formats (CSV, JSON, print), cybersecurity professionals have a vital resource for identifying vulnerabilities exploited in the wild.CVE-2025-22457’s addition to this catalog highlights its substantial risk, urging organizations to expedite their mitigation measures. CISA has set an April 11, 2025, deadline for these actions, alongside its BOD 22-01 guidance, which offers comprehensive strategies for enhancing vulnerability management in cloud services.

Recommended Actions

Organizations are advised to initiate threat hunting activities using Ivanti’s Integrity Checker Tool (ICT). This involves detecting signs of compromise such as web server crashes. Conducting thorough threat hunts on connected systems ensures that potential risks are identified and mitigated before causing significant damage.

In cases where no compromise is detected, it is recommended to conduct a factory reset using a clean image for cloud or virtual systems while applying the necessary patches as per Ivanti’s advisory.Monitoring authentication services and auditing privileged accounts are crucial steps to ensure the ongoing security of the system. In some cases, temporarily disconnecting vulnerable devices until patches are applied might be a prudent move.

When compromise is confirmed, immediate isolation of affected devices is necessary. This should be followed by taking forensic images or coordinating with Ivanti for further analysis.A factory reset with a clean image helps in re-securing the system. Additionally, revoking and reissuing certificates, keys, and passwords, including admin and API credentials, and resetting domain account passwords twice, are essential actions. Disabling cloud-joined devices, applying the relevant patches, and reporting the incident to CISA and Ivanti constitute a comprehensive response plan.

Conclusion: Urgent Measures in Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded an urgent alarm regarding a newly found critical vulnerability in Ivanti Connect Secure, a widely used VPN solution. This serious flaw, designated as CVE-2025-22457, has been promptly added to the Known Exploited Vulnerabilities (KEV) Catalog.Since March of this year, this vulnerability has been actively targeted by malicious actors, who are using it to execute arbitrary code without the need for authentication. This situation presents a substantial threat to organizations that depend on these VPN solutions to protect their networks. Organizations must immediately take action to mitigate this threat, patch affected systems, and review their security measures to avoid potential breaches. By addressing this critical flaw, businesses can reduce the risk of severe cybersecurity incidents that could compromise sensitive data. With cyber threats evolving rapidly, it is crucial for organizations to stay vigilant and keep their defenses updated.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable