There are more than 5,000 internet-accessible Ivanti Connect Secure appliances that are susceptible to attacks exploiting a recently disclosed vulnerability, the non-profit cybersecurity organization The Shadowserver Foundation warns.
The issue, tracked as CVE-2025-22457 (CVSS score of 9), is described as a stack-based buffer overflow that could be exploited by remote, unauthenticated attackers to execute arbitrary code on a vulnerable appliance.
Ivanti fixed the bug in February, but warned last week that it misdiagnosed it as a production bug and that in-the-wild exploitation was ongoing. Simultaneously, Mandiant revealed that a Chinese hacking group tracked as UNC5221 was seen exploiting the flaw against Ivanti VPNs.
The exploitation commenced mid-March and led to the deployment of an in-memory dropper and a backdoor. According to Mandiant, UNC5221 likely analyzed Ivanti’s February patch and discovered an attack vector against CVE-2025-22457.
The vulnerability affects Ivanti Connect Secure version 22.7R2.5 and earlier, Pulse Connect Secure 9.x, Ivanti Policy Secure version 22.7R1.3 and prior, and ZTA Gateways version 22.8R2 and earlier.
Ivanti warned that only Connect Secure and Pulse Connect Secure appliances have been targeted in attacks, urging users to update their devices as soon as possible.
However, although fixes have been available since February, The Shadowserver Foundation observed more than 5,113 unpatched instances accessible from the internet as of April 6.
According to Shadowserver, most of the observed instances are older Pulse Connect Secure 9.x appliances that will not receive a patch, as support for them was discontinued in December.
“Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receives code support or changes,” Ivanti notes in its advisory, urging users to migrate to a supported version of Ivanti Connect Secure.
Patches for CVE-2025-22457 were included in Ivanti Connect Secure version 22.7R2.6, released in February, and will be included in Ivanti Policy Secure version 22.7R1.4 and ZTA Gateways version 22.8R2.2, which are expected to roll out later this month.
Related: CISA Analyzes Malware Used in Ivanti Zero-Day Attacks
Related: CISA Warns of Ivanti EPM Vulnerability Exploitation
Related: PoC Exploit Published for Critical Ivanti EPM Vulnerabilities
Related: Ivanti, Fortinet Patch Remote Code Execution Vulnerabilities
About The Author
Original post here
