The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Ivanti Connect Secure to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability, identified as CVE-2025-22457, is a stack-based buffer overflow that allows unauthenticated attackers to execute arbitrary code remotely, potentially gaining full control of affected systems.
Details of CVE-2025-22457
- Affected Products:
- Ivanti Connect Secure (versions prior to 22.7R2.6).
- Ivanti Policy Secure and ZTA Gateways.
- Pulse Connect Secure (end-of-support as of December 2024).
- Exploitation:
- This vulnerability has been actively exploited by threat actors, including suspected China-nexus groups like UNC5221, to deploy malware and establish persistent access to compromised systems.
CISA’s Recommendations
CISA strongly urges organizations to:
Apply Patches:
- Update Ivanti Connect Secure appliances to version 22.7R2.6 or later.
- For Policy Secure and ZTA Gateways, patches will be available by mid-April 2025.
Conduct Threat Hunting:
- Use Ivanti’s Integrity Checker Tool (ICT) to identify signs of compromise.
- Perform forensic analysis on affected systems.
Isolate and Reset:
- If compromise is detected, isolate affected devices, perform a factory reset, and reapply patches using clean images.
Monitor Privileged Accounts:
- Audit and reset credentials, API keys, and certificates associated with compromised systems.
This addition to the KEV Catalog underscores the critical nature of this vulnerability and the importance of timely remediation to protect against active exploitation.
