IT software vendor Ivanti recently released detailsย of a now-patched critical security vulnerability affecting Ivanti Connect Secure (ICS) VPN appliances, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways, which is being actively exploited in the wild.
The vulnerability, identified as CVE-2025-22457 (CVSS score of 9.0), is a stack-based buffer overflow that allows a remote unauthenticated attacker to achieve remote code execution on an affected system, potentially leading to full system compromise. However, this flaw was fixed in Ivanti Connect Secure version 22.7R2.6 released February 11, 2025.
“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” Ivantiย said in a security advise published on Thursday.
The vulnerability affects the following products and versions:
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
| Ivanti Connect Secure | 22.7R2.5 and prior | 22.7R2.6 (released February 11, 2025) | Download Portal |
| Pulse Connect Secure (EoS) | 9.1R18.9 and prior | 22.7R2.6 | Contact Ivanti to migrate |
| Ivanti Policy Secure | 22.7R1.3 and prior | 22.7R1.4 | April 21 |
| ZTA Gateways | 22.8R2 and prior | 22.8R2.2 | April 19 |
Ivanti said it is aware of a โlimited number of customersโ using Ivanti Connect Secure (22.7R2.5 and earlier) and Pulse Connect Secure 9.1x, appliances, which went end-of-life in December 2024, have been exploited. It added that it is not aware of any exploitation of Policy Secure or ZTA gateways in the wild as of the disclosure.
“Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6,โ the company added.
Following the disclosure by Ivanti, Google-owned Mandiant,ย released a separate blog post with details of additional findings of the CVE-2025-22457 vulnerability, post-exploitation.
According to Mandiant, the first known instance of CVE-2025-22457 exploitation was observed in mid-March 2025 believed to be carried out by a China-linked espionage group UNC5221 who have a history of exploiting zero-day vulnerabilities in Ivantiโs products since 2023. UNC5221 has previously leveraged three zero-day vulnerabilities: CVE-2025-0282,ย CVE-2023-46805ย andย CVE-2024-21887.
Keep Yourself Secured
Meanwhile, Mandiant has strongly urged organizations to apply the available patch immediately by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address the CVE-2025-22457 vulnerability.
Additionally, it suggests organizations should use the external and internal Integrity Checker Tool (โICTโ) and reach out to Ivanti Support if any suspicious activity is detected.
