🔴 CVE-2025-22457

Critical stack-based buffer overflow in Ivanti remote access gateways allows unauthenticated remote code execution. These products are specifically designed to be internet-facing to provide secure remote access to corporate networks.

← Back to Overview
HIGH_RISK
Risk Level
9.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1133 — External Remote Services
ATT&CK Technique
VERY_HIGH
Deployment Risk
Yes (+426d)
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-04-03

Added to CISA KEV: 2025-04-04 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-22457 is a critical security vulnerability affecting Ivanti Connect Secure (ICS) and related products, which has been subject to active, malicious exploitation in the wild.

Active Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability has been actively exploited in the wild since at least mid-March 2025 [3] [5].
  • Threat Actor: Exploitation is attributed to the suspected China-nexus espionage group UNC5221 [2] [1].
  • Campaign Nature: This is primarily an espionage-focused campaign rather than a ransomware operation. The actor uses the vulnerability to gain unauthorized access, deploy advanced malware (such as the `TRAILBLAZE` in-memory dropper and `BRUSHFIRE` passive backdoor), harvest credentials, and maintain long-term footholds within targeted organizations [2] [5].
Attack Method and Impact
  • Vulnerability Type: It is a stack-based buffer overflow vulnerability [1] [5].
  • Exploitation Requirements: The vulnerability allows for Remote Code Execution (RCE) [5]. It is a network-based attack vector, meaning it can be exploited remotely without requiring local access.
  • Impact: Successful exploitation grants the attacker the ability to execute arbitrary code on the affected appliance, leading to full system compromise, unauthorized access, and data exfiltration [3].
Exploit Availability
  • There is evidence of public interest and research into the vulnerability, including the existence of Python-based proof-of-concept (PoC) scanners designed to detect vulnerable instances [1]. Security firms like Rapid7 have also published technical analyses of the exploit [6].
Affected Versions and Mitigation
  • Affected Products: The vulnerability impacts Ivanti Connect Secure (ICS), Ivanti Policy Secure, and Ivanti ZTA gateways [1].
  • Affected Versions: Specifically, Ivanti Connect Secure versions 22.7R2.5 and earlier are affected [1] [5].
  • Status: A patch has been released by Ivanti to address this vulnerability [1]. Organizations are strongly advised to apply the latest security updates provided by the vendor. This vulnerability is also included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, which mandates that federal agencies prioritize remediation [4].

Sources

  1. CVE-2025-22457 - Exploits & Severity - Feedly

    Threat Intelligence Report CVE-2025-22457 is a critical buffer overflow vulnerability affecting Ivanti Connect Secure (ICS) VPN appliances version 22.7R2.5 and earlier, with evidence of active exploitation in the wild attributed to the suspected China-nexus espionage actor UNC5221, who has deployed…

  2. UNC5221's Latest Exploit: Weaponizing CVE-2025-22457 in Ivanti ...

    UNC5221 launched a fresh campaign exploiting a critical Ivanti Connect Secure vulnerability (CVE-2025-22457) to gain unauthorized access to organizations' ... UNC5221 exploits CVE-2025-22457 in Ivanti VPNs using in-memory malware and credential theft. Learn their TTPs and how to defend against this…

  3. CVE-2025-22457: Ivanti Remote Code Execution Vulnerability...

    CVE-2025-22457 vulnerability has been actively exploited by Chinese APT group UNC5221 to deploy malware and backdoors since mid-March 2025. Adversaries were observed launching multi-stage intrusions that deployed advanced malware, such as TRAILBLAZE and BRUSHFIRE, alongside components from their mod…

  4. CISA's Known Exploited Vulnerabilities (KEV) Explained

    This is a textbook example of how the KEV catalog helps translate vulnerability data into prioritized, actionable defense. What Qualifies a Vulnerability for Inclusion in the KEV Catalog? CISA uses a combination of intelligence feeds, incident data, public reporting, and interagency collaboration to…

  5. Suspected China-Nexus Threat Actor Actively Exploiting Critical...

    The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the…

  6. Rapid7 publishes analysis of CVE-2025-22457 exploit - LinkedIn

    Principal Rapid7 vulnerability researcher Stephen Fewer published our analysis of CVE-2025-22457 in Ivanti Connect Secure, Policy Secure, ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed