CVE-2025-22457: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA...

9.0 CVSS

Description

On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible.

The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported SPAWN ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023.

A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achiev...

Known Exploited

🚨 Marked as known exploited on April 3rd, 2025 (14 days ago).

Classification

CVE ID: CVE-2025-22457

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem Types

CWE-121 Stack-based Buffer Overflow

Affected Products

Vendor: Ivanti, Ivanti, Ivanti

Product: Connect Secure, Policy Secure, Neurons for ZTA gateways

Exploit Prediction Scoring System (EPSS)

EPSS Score: 9.86% (probability of being exploited)

EPSS Percentile: 92.51% (scored less or equal to compared to others)

EPSS Date: 2025-04-16 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-22457
https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457

Timeline

2025-04-03 14:30:14 UTC
Google Threat Intelligence

Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie On Thursday, April 3, 2025, Ivanti disclosed a critical security...
2025-04-03 14:31:41 UTC
🚨 Marked as Known Exploited
2025-04-03 16:40:21 UTC
CVE

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA...
2025-04-03 19:00:30 UTC
Rapid7

Ivanti Connect Secure CVE-2025-22457 exploited in the wild
2025-04-03 19:00:31 UTC
DarkWebInformer

CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
2025-04-04 06:30:36 UTC
TheHackerNews

Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
2025-04-04 14:00:32 UTC
Watchtower Labs

Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)
2025-04-04 17:45:11 UTC
CISA KEV

Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
2025-04-04 19:45:24 UTC
All CISA Advisories

CISA Adds One Vulnerability to the KEV Catalog
2025-04-04 19:45:24 UTC
All CISA Advisories

Ivanti Releases Security Updates for Connect Secure, Policy Secure & ZTA Gateways Vulnerability (CVE-2025-22457)