Emerging Threat: Ivanti CVE-2025-22457

What is CVE-2025-22457? 

CVE-2025-22457, a critical vulnerability (CVSS 9.0) affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways. The issue stems from a stack-based buffer overflow triggered by sending a specially crafted X-Forwarded-For HTTP header. Successful exploitation enables unauthenticated remote code execution.   

This vulnerability was originally misidentified as a buffer overflow vulnerability that could not lead to either remote code execution (RCE) or denial of service (DoS). However, Ivanti later clarified in a patch note that not only was the vulnerability exploitable, it had already been exploited in the wild. 

While patches have been available since February, some teams may have delayed patching because they were unaware that CVE-2025-22457 was a critical vulnerability. 

What assets are affected by CVE-2025-22457? 

• Ivanti Connect Secure: 22.7R2.5 and prior 
• Pulse Connect Secure (former name) (EoS): 9.1R18.9 and prior
• Ivanti Policy Secure: 22.7R1.3 and prior
• ZTA Gateways: 22.8R2 and prior  

Are fixes available? 

Fixes are available for 

• Ivanti Connect Secure: upgrade to 22.7R2.6 (released February 5, 2025) 
• Ivanti Policy Secure: a patch is in development and will be available on April 21.
• Ivanti ZTA Gateways: a patch is in development and will be automatically applied to environments on April 19.

Because Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, these devices no longer receive any code changes and there is no patch available. Ivanti directs customers still using Pulse Connect Secure products to reach out to their contacts at Ivanti to migrate to a secure platform. 

Are there any other recommended actions to take? 

Customers concerned that their devices may have been exploited should monitor their external integrity checking tool (ICT) and look for web server crashes. If your ICT result shows signs of compromise, Ivanti advises  performing a factory reset on the appliance and then putting the appliance back into production using version 22.7R2.6. 

Is CVE-2025-22457 being actively exploited? 

A joint investigation by Mandiant and Ivanti revealed that this vulnerability has been exploited in the wild by known espionage actor UNC5221. CISA has also added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog. 

How is CyCognito helping customers identify assets vulnerable to CVE-2025-22457? 

CyCognito is actively working on detection capabilities for this vulnerability. In the meantime, customers can review assets running Connect Secure services to assess exposure, even if they are not explicitly identified as running vulnerable versions. 

Figure 1: The alert sent by CyCognito for CVE-2025-22457

How can CyCognito help your organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.