Security Week

Rapid7 Reveals RCE Path in Ivanti VPN Appliance After Silent Patch Debacle

Ryan Naraine Published: April 11, 2025 | Updated: April 11, 2025 3 min read

Security researchers at Rapid7 are publicly documenting a path to remote code execution of a critical flaw in Ivanti’s Connect Secure VPN appliances, ramping up the urgency for organizations to apply available patches.

The publication of exploit code comes less than a week after Mandiant flagged in-the-wild exploitation of the Ivanti bug (CVE-2025-22457) by a Chinese hacking gang notorious for hacking into edge network devices.

Although the issue was patched back in February, Ivanti misdiagnosed the issue as a so-called “product bug” and failed to issue a CVE identifier with public documentation. It wasn’t until Mandiant’s incident response team discovered the Chinese hacking campaign that Ivanti pushed out an advisory with details on the problem.

Here’s Ivanti’s explanation of the hiccup:

“The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service.”

“However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild. We encourage all customers to ensure they are running Ivanti Connect Secure 22.7R2.6 as soon as possible, which remediates the vulnerability.”

A week after the public disclosure, Rapid7s researchers warn that attackers can use a few carefully crafted HTTP headers to escalate the exploit from a trivial crash to full-blown remote code execution.

According to Rapid7’s technical analysis, the vulnerability stems from an unchecked buffer overflow in the HTTP(S) web server component of the Ivanti Connect Secure software. The researchers traced the vulnerability to a function that processes the “X-Forwarded-For” header and by manipulating the length of the header value, they were able to trigger an overflow that overwrites key parts of the stack.

Advertisement. Scroll to continue reading.

“This is a salient reminder that state-sponsored threat actors are actively reverse engineering vendor patches for high-profile software targets, and are able to identify silently patched (or otherwise not publicly disclosed) vulnerabilities,” Rapid7 warned.

“For reference, it took us approximately 4 business days of work to go from an initial crash to RCE,” the company added.

“State-sponsored threat actors have both significant time and expertise to develop nuanced and complex exploits against high-profile targets. This highlights what is arguably an asymmetry between threat actor resources and capabilities, and technology producer resources and capabilities when making impact judgments about potential security issues.”

The vulnerability, which carries a CVSS severity score of 9/10, affects Ivanti Connect Secure versions 22.7R2.5 and earlier, as well as end-of-support Pulse Connect Secure 9.x.

Beyond Ivanti Connect Secure, Ivanti plans to release patches for its Policy Secure and ZTA Gateways. While the Policy Secure fix is slated for release on April 21 and the ZTA Gateways update on April 19, neither platform has yet been observed under active attack.

Ivanti customers are urged to update to Connect Secure version 22.7R2.6 without delay and to migrate away from unsupported Pulse Connect Secure appliances.

Rapid7 has joined Ivanti in recommending that organizations examine appliances for web server crashes that offer a useful indication of attempted exploitation.

“This is due to how the exploit, in lieu of a suitable info leak to break ASLR, must rely upon brute forcing an address of a shared object library in the web server process. Every failed attempt to guess the correct address will result in the web server process crashing, and subsequently restarting,” Rapid7 noted.