Ivanti Connect Secure, stack-based buffer overflow pre-auth RCE
A stack-based buffer overflow in Ivanti Connect Secure (before 22.7R2.6), Ivanti Policy Secure (before 22.7R1.4), and Ivanti ZTA Gateways (before 22.8R2.2) allows a remote, unauthenticated attacker to execute arbitrary code. The vulnerability results from an out-of-bounds write condition. Successful exploitation leads to remote code execution on the affected appliance.
Overview
CVE-2025-22457 is a critical (CVSS 9.8) stack-based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways, Ivanti's widely deployed VPN and secure-access appliances. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on the appliance. NVD published the record on April 3, 2025, and CISA added it to the Known Exploited Vulnerabilities catalog on April 4, 2025. Mandiant attributed in-the-wild exploitation to a suspected China-nexus espionage actor (tracked as UNC5221) beginning in mid-March 2025.
Technical Details
The vulnerability is an out-of-bounds write (CWE-787) manifesting as a stack-based buffer overflow (CWE-121). The bug was initially assessed as a low-impact denial-of-service issue and was quietly fixed in Connect Secure 22.7R2.6, but threat actors determined it could be reliably weaponized for remote code execution. Exploitation requires no authentication or user interaction and is performed over the network. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting full compromise of confidentiality, integrity, and availability.
Impact
- Unauthenticated remote code execution on the VPN/secure-access gateway.
- Deployment of in-memory droppers and post-exploitation malware observed in the wild.
- Interception or redirection of VPN sessions and theft of credentials.
- Establishment of persistent footholds for espionage and lateral movement.
Mitigation
- Upgrade Ivanti Connect Secure to 22.7R2.6 or later.
- Upgrade Ivanti Policy Secure to 22.7R1.4 or later.
- Upgrade Ivanti ZTA Gateways to 22.8R2.2 or later.
- Migrate off end-of-support Pulse Connect Secure 9.x appliances, which remain exposed.
- Run the Ivanti Integrity Checker Tool and, if compromise is suspected, perform a factory reset before restoring a known-good configuration and rotating all secrets.
Detection
Run the Ivanti Integrity Checker Tool (ICT) and review its output for signs of tampering. Inspect appliance logs for crashes or restarts of web-facing services consistent with overflow attempts, and for unexpected outbound connections. Hunt for known UNC5221 tradecraft, including in-memory droppers (TRAILBLAZE) and the BRUSHFIRE passive backdoor. CISA added CVE-2025-22457 to the Known Exploited Vulnerabilities catalog on April 4, 2025, with a short remediation deadline; treat any potentially compromised appliance as fully breached.