cbcvebase.
CVE-2025-22457
published 2025-04-03

CVE-2025-22457: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-11
Exploited in the wild
EPSS
99.97%
100.0th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure< 22.722.7
ivanticonnect_secure
ivantipolicy_secure< 22.722.7
ivantipolicy_secure
ivantizero_trust_access_gateway< 22.822.8
ivantizero_trust_access_gateway

Detection & IOCsextracted from sources · hover to see the quote

path/dana-na/auth/url_default/welcome.cgi
otherX-Forwarded-For: 1*2048
urlhttps://{{host}}:{{port}}/dana-na/auth/url_default/welcome.cgi
  • Detect exploitation attempts by monitoring for POST requests to /dana-na/auth/url_default/welcome.cgi with an oversized X-Forwarded-For header (2048 bytes of repeated '1' characters), which causes a web server crash indicative of the stack-based buffer overflow.
  • Monitor for web server crashes on Ivanti Connect Secure appliances as an indicator of active exploitation; Ivanti advises admins to monitor their external Integrity Checker Tool (ICT) and look for web server crashes.
  • Use Shodan/FOFA/ZoomEye/Google dork queries to identify exposed Ivanti Connect Secure instances that may be unpatched and vulnerable.
  • The exploit uses heap spray to place payload at a predetermined memory location and brute-forces the base address of libdsplibs for ROP chain construction; detect repeated connection attempts from the same source to the target appliance as a sign of ASLR brute-forcing.
  • The vulnerability is a buffer overflow limited to period and number characters in the overflow payload; detection rules should look for abnormally long header values composed exclusively of digits and/or periods on Ivanti Connect Secure endpoints.
  • Attribute post-exploitation activity to UNC5221 (China-nexus); look for deployment of TRAILBLAZE, BRUSHFIRE, and SPAWN malware families following initial access via CVE-2025-22457.
  • ·The Metasploit module only supports Ivanti Connect Secure; Ivanti Policy Secure and ZTA gateways are also vulnerable but not covered by this exploit module.
  • ·Policy Secure and ZTA gateway patches were not yet available at time of initial disclosure (scheduled April 21 and April 19 respectively); Ivanti stated it was not aware of exploitation targeting these gateways and that they have meaningfully reduced risk.
  • ·The exploit requires high attack complexity (CVSS AC:H) due to ASLR brute-forcing of libdsplibs base address, but no authentication or user interaction is needed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.