Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-22457
CVE-2025-22457:
Ivanti Connect Secure vulnerability analysis and mitigation
Overview
A critical zero-day vulnerability (CVE-2025-22457) was discovered affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that allows remote unauthenticated attackers to achieve remote code execution. Initially identified as a product bug and believed to be a low-risk denial-of-service vulnerability, it was later confirmed to be actively exploited in the wild. The affected products include Ivanti Connect Secure 22.7R2.5 and prior, Pulse Connect Secure (EoS) 9.1R18.9 and prior, Ivanti Policy Secure 22.7R1.3 and prior, and ZTA Gateways 22.8R2 and prior (NVD, Arctic Wolf).
Technical details
The vulnerability is classified as a stack-based buffer overflow (CWE-121) and out-of-bounds write (CWE-787). It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Ivanti assigned a score of 9.0 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerability was initially believed to be a low-risk denial-of-service issue due to limited character space but was later confirmed to allow remote code execution (NVD, Rapid7).
Impact
The vulnerability allows remote unauthenticated attackers to achieve remote code execution on affected systems. Exploitation has been observed in Connect Secure devices, leading to data exfiltration, backdoor installation, and log tampering. At the time of disclosure, exploitation was only observed in Connect Secure, not in Policy Secure or ZTA Gateway products (Arctic Wolf).
Mitigation and workarounds
Ivanti has released patches for Connect Secure (version 22.7R2.6) in February 2025, with patches for Policy Secure and ZTA Gateways scheduled for April 21 and April 19, 2025, respectively. Organizations are advised to conduct threat hunting using the external Integrity Checker Tool (ICT), perform factory resets if compromise is detected, and apply available patches immediately. For compromised devices, organizations should isolate affected instances, take forensic images, revoke and reissue certificates, keys, and passwords, and reset admin credentials (CISA).
Community reactions
CISA has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to take immediate action. Google's Mandiant division has attributed the exploitation to suspected China-nexus actors, highlighting the severity and strategic importance of this vulnerability (CISA).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management