Dive Brief:
-
Approximately 2,850 IP addresses are vulnerable to CVE-2025-22467, a critical stack buffer-overflow vulnerability that affects Ivanti Connect Secure VPNs, according to a post on X by the Shadowserver Foundation.
-
Ivanti disclosed and patched CVE-2025-22467 on Feb. 11 and said it was not aware of any exploitation of the vulnerability prior to the public disclosure. Exploitation of the critical flaw can allow a remote authenticated attacker to achieve remote code execution.
- Shadowserver found the U.S. and Japan were the countries with the highest number of vulnerable IP addresses, with 852 and 384 instances, respectively.
Dive Insight:
Ivanti devices have become popular targets for a variety of cyber threat actors in recent years. For example, last month a zero-day vulnerability in multiple Ivanti products, including Connect Secure, came under attack from a variety of threat groups. According to Shadowserver, nearly 380 instances of Ivanti Connect Secure were compromised via exploitation of CVE-2025-0282, another stack-based buffer overflow flaw.
In October, three zero-day vulnerabilities in the Ivanti Cloud Service Appliance were chained together and exploited by attackers. Shortly before the trio of flaws was disclosed, Ivanti released a statement pledging to overhaul its operations to develop more secure products.
At this stage, it appears CVE-2025-22467 has not yet been attacked in the wild. “We have not seen evidence of exploitation so far from our vantage point,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive in an email.
Kijewski also said having 2,850 vulnerable instances remaining two weeks after CVE-2025-22467’s public disclosure is “not bad” compared with other recent Ivanti vulnerabilities that were left exposed in devices.
Ivanti said at the time of CVE-2025-22467’s public disclosure that there were no known cases of exploitation. Cybersecurity Dive contacted Ivanti for additional comment.