Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22457 |
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: Ivanti released security updates to address vulnerabilities (CVE-2025-22457) in Ivanti Connect Secure, Policy Secure & ZTA Gateways. A cyber threat actor could exploit CVE-2025-22457 to take control of an affected system.
CISA has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog.
See the following resources for more guidance:
April Security Update | Ivanti
April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud Blog
For any instances of Ivanti Connect Secure that were not updated by Feb. 28, 2025, to the latest Ivanti patch (22.7R2.6) and all instances of Pulse Connect Secure (EoS), Policy Secure, and ZTA Gateways, CISA urges users and administrators to implement the following actions:
Conduct threat hunting actions:
Run an external Integrity Checker Tool (ICT). For more guidance, see Ivanti’s instructions.
Conduct threat hunt actions on any systems connected to—or recently connected to—the affected Ivanti device.
If threat hunting actions determine no compromise:
For the highest level of confidence, conduct a factory reset.
For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
Apply the patch described in Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457). Please note that patches for Ivanti...
CVSS: CRITICAL (9.0) EPSS Score: 9.86%
April 4th, 2025 (13 days ago)
|
|
CVE-2025-22457 |
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-22457 Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
CISA urges organizations to apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Security Update: Pulse Connect Secure, Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateway
CISA Mitigation Instructions for CVE-2025-22457
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-...
CVSS: CRITICAL (9.0) EPSS Score: 9.86%
April 4th, 2025 (13 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure that has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems.
"A stack-based buffer overflow in Ivanti Connect
CVSS: CRITICAL (9.0) EPSS Score: 9.86%
April 4th, 2025 (14 days ago)
|
|
CVE-2025-31161 |
🚨 Marked as known exploited on April 3rd, 2025 (14 days ago).
Description: CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.
CVSS: CRITICAL (9.8) EPSS Score: 24.88%
April 3rd, 2025 (14 days ago)
|
|
CVE-2025-30406 |
🚨 Marked as known exploited on April 8th, 2025 (9 days ago).
Description: Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: the CentreStack admin can manually delete the machineKey defined in portal\web.config.
According to Huntress:
"It is very important to note that this weakness also affects Gladinet Triofox, up to version 16.4.10317.56372. By default, previous versions of the Triofox software have the same hardcoded cryptographic keys in their configuration file, and can be easily abused for remote code execution." See references.
CVSS: CRITICAL (9.8) EPSS Score: 58.51%
April 3rd, 2025 (14 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: On April 3, 2025, Ivanti disclosed CVE-2025-22457, a critical a stack-based buffer overflow vulnerability that allows for remote code execution on affected devices.
CVSS: CRITICAL (9.0) EPSS Score: 9.86%
April 3rd, 2025 (14 days ago)
|
|
CVE-2025-22457 |
🚨 Marked as known exploited on April 3rd, 2025 (14 days ago).
Description: On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible.
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achiev...
CVSS: CRITICAL (9.0) EPSS Score: 9.86% SSVC Exploitation: none
April 3rd, 2025 (14 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie
On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible.
The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.
A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a ...
EPSS Score: 9.86%
April 3rd, 2025 (14 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
April 2nd, 2025 (16 days ago)
|
|
🚨 Marked as known exploited on April 10th, 2025 (7 days ago).
Description: Apple has released security updates that backport fixes for actively exploited vulnerabilities that were exploited as zero-days to older versions of its operating systems. [...]
April 1st, 2025 (16 days ago)
|