CVE-2025-22457
CVE-2025-22457 is a critical-severity vulnerability in Ivanti Connect Secure with a CVSS 3.x base score of 9.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2025-04-04). The underlying weakness is classified as CWE-787.
Key facts
- Severity: Critical (CVSS 3.x base score 9.0)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2025-04-04)
- EU (EUVD) id: EUVD-2025-9646
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2025-04-04)
- Weakness: CWE-787
- Affected product: Ivanti Connect Secure
- Published:
- Last modified:
Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
CVE-2025-22457: Stack-Based Buffer Overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-22457 |
| CVSS v3.1 | 9.0 Critical |
| CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-787 (Out-of-bounds Write) |
| EPSS | 0.99979 |
| Known Exploited | Yes (CISA KEV, 2025-04-04) |
| EU Exploited | Yes (since 2025-04-04) |
Summary
A stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways allows a remote, unauthenticated attacker to achieve remote code execution on affected appliances.
Background
Ivanti Connect Secure (formerly Pulse Connect Secure) is a widely deployed SSL-VPN solution used by enterprises for remote access. Ivanti Policy Secure provides network access control, and Ivanti ZTA Gateways enforce zero-trust access policies. These appliances sit at the network perimeter and are high-value targets for threat actors seeking initial access to enterprise networks.
Root Cause
The vulnerability is classified as CWE-787: Out-of-bounds Write, specifically a stack-based buffer overflow. The flaw arises from improper boundary checks when processing network-facing requests, allowing an attacker to write beyond the bounds of a stack-allocated buffer. Because the affected code runs with elevated privileges on the appliance, successful exploitation yields arbitrary code execution in the context of the system.
Impact
The CVSS v3.1 base score of 9.0 (Critical) reflects the severe impact of this vulnerability:
- Attack Vector (AV): Network — exploitable remotely without local network access.
- Attack Complexity (AC): High — exploitation may require circumventing existing protections.
- Privileges Required (PR): None — no authentication is needed.
- User Interaction (UI): None — the attack can be automated.
- Scope (S): Changed — the vulnerable component impacts resources beyond its security scope.
- Confidentiality, Integrity, Availability (C/I/A): All rated High.
Successful exploitation grants an unauthenticated attacker full remote code execution, enabling deployment of webshells, lateral movement, data exfiltration, and ransomware deployment.
Exploitation Walkthrough
Ethics caveat: This section describes the attack surface from a defensive perspective. No weaponized exploit code is provided.
The vulnerability is exposed on the network-facing management or VPN interfaces of the affected appliances. A threat actor can send a specially crafted request that triggers the buffer overflow during input processing. Because the overflow occurs on the stack, the attacker may overwrite return addresses or function pointers to redirect execution flow.
Defensive teams should assume that proof-of-concept or fully weaponized exploits exist in the wild, given the EPSS score of 0.99979 and confirmed CISA KEV listing. Threat actors, including ransomware affiliates and state-sponsored groups, have historically targeted Ivanti edge appliances for initial access.
Affected and Patched Versions
| Product | Affected Versions | Patched Version |
|---|---|---|
| Ivanti Connect Secure | All versions before 22.7R2.6 | 22.7R2.6 and later |
| Ivanti Policy Secure | All versions before 22.7R1.4 | 22.7R1.4 and later |
| Ivanti ZTA Gateways | All versions before 22.8R2.2 | 22.8R2.2 and later |
Remediation
- Upgrade immediately. Apply the vendor patches (22.7R2.6 for Connect Secure, 22.7R1.4 for Policy Secure, 22.8R2.2 for ZTA Gateways) as soon as possible.
- Restrict management access. Limit appliance management interfaces to trusted administrative networks. Disable internet-facing management portals where possible.
- Enable MFA. Enforce multi-factor authentication for all administrative and VPN access to reduce the impact of compromised credentials.
- Network segmentation. Place edge appliances in a restricted DMZ with strict egress controls to limit lateral movement if compromise occurs.
- Monitor for IOCs. Review Ivanti's security advisory for indicators of compromise and scan for anomalous files or configurations.
Detection
- Monitor network traffic for anomalous requests to the appliance management or VPN interfaces, especially large or malformed payloads.
- Review appliance logs for crashes, service restarts, or unauthorized file modifications.
- Check for unexpected webshells, scheduled tasks, or unauthorized accounts on the appliance.
- Compare running appliance firmware hashes against known-good values.
- Consult the CISA KEV catalog and Ivanti's advisory for specific indicators of compromise.
Assessment
With an EPSS of 0.99979 and confirmed inclusion in the CISA Known Exploited Vulnerabilities catalog (dated 2025-04-04), this vulnerability is actively exploited in the wild and should be treated as an emergency patch priority. The combination of network reachability, no authentication requirement, and remote code execution makes it a textbook edge-appliance nightmare.
Key lessons:
- Edge appliances are crown jewels. SSL-VPN and zero-trust gateways are perennial targets; patching cadence for these systems should be measured in hours, not days.
- Stack overflows in network services are still critical. Despite modern mitigations, high-complexity but unauthenticated network-facing memory corruption remains a premier attack vector.
References
Frequently asked questions
- What is CVE-2025-22457?
- A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
- How severe is CVE-2025-22457?
- CVE-2025-22457 has a CVSS 3.x base score of 9.0, rated critical severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-22457 being actively exploited?
- Yes. CVE-2025-22457 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2025-04-04, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2025-22457?
- CVE-2025-22457 primarily affects Ivanti Connect Secure. In total, 23 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2025-22457?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2025-22457 have an EU (EUVD) identifier?
- Yes. CVE-2025-22457 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-9646. It is also flagged as exploited in the EUVD (since 2025-04-04).
- When was CVE-2025-22457 published?
- CVE-2025-22457 was published on 2025-04-03 and last updated on 2026-06-17.
References
- https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-22457
Affected products (23)
- cpe:2.3:a:ivanti:connect_secure:*:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*
- cpe:2.3:a:ivanti:connect_secure:22.7:r2.5:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:*:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*
- cpe:2.3:a:ivanti:policy_secure:22.7:r1.3:*:*:*:*:*:*
- cpe:2.3:a:ivanti:zero_trust_access_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:ivanti:zero_trust_access_gateway:22.8:-:*:*:*:*:*:*
- cpe:2.3:a:ivanti:zero_trust_access_gateway:22.8:r2.1:*:*:*:*:*:*
More vulnerabilities in Ivanti Connect Secure
- CVE-2021-22893 — Critical (CVSS 10.0): Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the…
- CVE-2019-11510 — Critical (CVSS 10.0): In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an…
- CVE-2016-4787 — Critical (CVSS 10.0): Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote…
- CVE-2025-22467 — Critical (CVSS 9.9): A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker…
- CVE-2024-21894 — Critical (CVSS 9.8): A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows…
- CVE-2018-20813 — Critical (CVSS 9.8): An input validation issue has been found with login_meeting.cgi in Pulse Secure Pulse Connect Secure 8.3RX before 8.3R2.
All CVEs affecting Ivanti Connect Secure →
Other CWE-787 (Out-of-bounds Write) vulnerabilities
- CVE-2026-42369 — Critical (CVSS 10.0): GV-VMS V20 is a Video Monitoring Software used to gather the feeds of many surveillance cameras and manage other…
- CVE-2026-4746 — Critical (CVSS 10.0): Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src modules). This vulnerability is…
- CVE-2025-43300 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS…
- CVE-2025-24201 — Critical (CVSS 10.0): An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in…
- CVE-2024-42479 — Critical (CVSS 10.0): llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause…
- CVE-2024-39791 — Critical (CVSS 10.0): Stack-based buffer overflow vulnerabilities affecting Vonets industrial wifi bridge relays and wifi bridge…