CISA Adds Actively Exploits Ivanti Connect Secure Vulnerability in Known Exploited Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457, a critical vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, to its Known Exploited Vulnerabilities (KEV) Catalog.

This stack-based buffer overflow, actively exploited since mid-March 2025, allows remote unauthenticated attackers to achieve remote code execution (RCE), threatening organizations using these VPN and access solutions.

Vulnerability Details

CVE-2025-22457 is a stack-based buffer overflow (CWE-121) with a CVSS score of 9.0, enabling attackers to execute arbitrary code without authentication.

It impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, End-of-Support since December 31, 2024), Ivanti Policy Secure (versions 22.7R1.3 and prior), and ZTA Gateways (versions 22.8R2 and prior).

Ivanti patched Connect Secure in version 22.7R2.6 on February 11, 2025, with patches for Policy Secure and ZTA Gateways due on April 21 and April 19, respectively.

Active Exploitation

CISA added CVE-2025-22457 to the KEV Catalog on April 4, 2025, following reports of exploitation. UNC5221, known for targeting edge devices, has deployed malware like Trailblaze and Brushfire for persistent access and data theft.

Exploitation began in mid-March, likely after UNC5221 reverse-engineered the February patch, underscoring the need for immediate updates.

CISA’s KEV Catalog, a vital resource for cybersecurity, lists vulnerabilities exploited in the wild to aid prioritization. Available in CSV, JSON, and print formats, it includes 1,314 entries.

CVE-2025-22457’s addition highlights its urgency, with a mitigation due date of April 11, 2025. CISA recommends using the catalog alongside BOD 22-01 guidance for cloud services to enhance vulnerability management.

Recommended Actions

Start with threat hunting by using Ivanti’s Integrity Checker Tool (ICT) to detect compromise, such as web server crashes, and perform threat hunts on connected systems.

If no compromise is detected, conduct a factory reset with a clean image for cloud/virtual systems, apply patches per Ivanti’s advisory (Connect Secure 22.7R2.6; Policy Secure and ZTA Gateways patches due April 21 and 19), monitor authentication services, audit privileged accounts, and consider disconnecting vulnerable devices until patched.

If a compromise is confirmed, isolate affected devices, take forensic images or coordinate with Ivanti, perform a factory reset with a clean image, revoke and reissue certificates, keys, and passwords (including admin and API credentials), reset domain account passwords twice, revoke Kerberos tickets, disable cloud-joined devices, apply patches, and report to CISA at [email protected] or (888) 282-0870, and to Ivanti.

This is Ivanti’s 15th KEV entry since 2024, reflecting ongoing security issues with its edge devices. UNC5221’s involvement signals espionage risks from China-linked actors targeting infrastructure. An X post by

CVE-2025-22457’s inclusion in CISA’s KEV Catalog emphasizes its immediate threat. With patches available for Connect Secure and forthcoming for other products, organizations must act quickly to mitigate risks from sophisticated actors like UNC5221.

CISA’s guidance and Ivanti’s updates offer a clear path to secure systems and prevent further exploitation in a challenging cyber landscape.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates