External risk intelligence

Ivanti Connect Secure: Remote Code Execution Risk

CVE advisoryKnown Exploit

CVE-2025-22457

A remote, unauthenticated attacker can exploit a buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways to execute code. This poses a risk to organizations by potentially allowing unauthorized access and control of affected systems.

5Halo Surface Signal

Out-of-bounds Write

Ivanti Connect Secure

before 22.722.7before 22.822.8

External exposure likelihood

Halo Surface Signal score for CVE-2025-22457

The affected products are enterprise VPNs, Zero Trust access gateways, and policy controllers. These appliances are specifically designed to be deployed as public-facing edge services to provide remote connectivity and are intended to accept unauthenticated traffic at the network perimeter.

Horizon Alert

Summary of the vulnerability and why it matters

A security vulnerability has been identified in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways. This flaw could allow an attacker to execute arbitrary code on affected systems. The core issue involves a buffer overflow, which can occur when processing specific data inputs. This vulnerability creates a significant risk to organizations using these products.

Vulnerable Ivanti gateway products.
Buffer overflow allows code execution.
Potential for unauthorized system access.

Attack Path

How an attacker could exploit the issue

A remote, unauthenticated attacker can exploit a buffer overflow vulnerability to execute arbitrary code. This vulnerability affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways. Successful exploitation could allow an attacker to gain control of the affected systems.

Network exposure required
Attacker sends malicious input
Remote code execution occurs

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists in Ivanti Connect Secure, Policy Secure, and Zero Trust Access Gateways, allowing remote unauthenticated attackers to execute code. This type of attack can lead to significant business disruption and data compromise. The vulnerability is present in systems that are typically exposed to the internet, increasing the potential for exploitation. Given the severity and the presence on the CISA Known Exploited Vulnerabilities catalog, this issue warrants immediate attention to mitigate potential business risks.

Attackers with moderate skill.
Network access required.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability has been identified in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways that could allow for remote code execution. This presents a significant risk to organizations utilizing these products, as an unauthenticated attacker could potentially compromise systems and data. Immediate action is required to assess and mitigate this exposure.

Identify all deployed Ivanti products.
Reduce exposure or isolate affected systems.
Apply vendor fixes and validate.
Monitor for related activity.

Frequently asked questions

What is the primary vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways?

The primary vulnerability is a stack-based buffer overflow that allows a remote, unauthenticated attacker to achieve remote code execution on affected systems. This weakness is categorized under CWE-121 and CWE-787.

Which Ivanti products are affected by CVE-2025-22457, and what is the nature of the weakness?

Ivanti Connect Secure versions before 22.7R2.6, Ivanti Policy Secure versions before 22.7R1.4, and Ivanti ZTA Gateways versions before 22.8R2.2 are affected. The weakness is a stack-based buffer overflow, enabling remote code execution.

How can an attacker trigger this vulnerability, and what is the potential impact?

An attacker can exploit this by sending specially crafted data to the vulnerable products. Successful exploitation allows for remote code execution, potentially leading to unauthorized system access and control. The attack vector is network-based and does not require prior authentication or user interaction.

Why is CVE-2025-22457 considered a significant threat, and is it actively exploited?

This vulnerability is considered a significant threat because it allows for remote code execution by unauthenticated attackers, affecting critical edge security products like VPNs and Zero Trust gateways. It is listed on the CISA Known Exploited Vulnerabilities catalog, indicating active exploitation.

What steps should organizations take to respond to this vulnerability?

Organizations should identify all deployed Ivanti products, assess their exposure, and apply vendor-provided fixes or mitigations immediately. Isolating affected systems and monitoring for suspicious activity are also crucial response measures.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.