CVE-2025-22457
published 2025-04-03CVE-2025-22457: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-04-11
Exploited in the wild
EPSS
99.97%
100.0th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | connect_secure | < 22.7 | 22.7 |
| ivanti | connect_secure | — | — |
| ivanti | policy_secure | < 22.7 | 22.7 |
| ivanti | policy_secure | — | — |
| ivanti | zero_trust_access_gateway | < 22.8 | 22.8 |
| ivanti | zero_trust_access_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for POST requests to /dana-na/auth/url_default/welcome.cgi with an oversized X-Forwarded-For header (2048 bytes of repeated '1' characters), which causes a web server crash indicative of the stack-based buffer overflow. ↗
- →Monitor for web server crashes on Ivanti Connect Secure appliances as an indicator of active exploitation; Ivanti advises admins to monitor their external Integrity Checker Tool (ICT) and look for web server crashes. ↗
- →Use Shodan/FOFA/ZoomEye/Google dork queries to identify exposed Ivanti Connect Secure instances that may be unpatched and vulnerable. ↗
- →The exploit uses heap spray to place payload at a predetermined memory location and brute-forces the base address of libdsplibs for ROP chain construction; detect repeated connection attempts from the same source to the target appliance as a sign of ASLR brute-forcing. ↗
- →The vulnerability is a buffer overflow limited to period and number characters in the overflow payload; detection rules should look for abnormally long header values composed exclusively of digits and/or periods on Ivanti Connect Secure endpoints. ↗
- →Attribute post-exploitation activity to UNC5221 (China-nexus); look for deployment of TRAILBLAZE, BRUSHFIRE, and SPAWN malware families following initial access via CVE-2025-22457. ↗
- ·The Metasploit module only supports Ivanti Connect Secure; Ivanti Policy Secure and ZTA gateways are also vulnerable but not covered by this exploit module. ↗
- ·Policy Secure and ZTA gateway patches were not yet available at time of initial disclosure (scheduled April 21 and April 19 respectively); Ivanti stated it was not aware of exploitation targeting these gateways and that they have meaningfully reduced risk. ↗
- ·The exploit requires high attack complexity (CVSS AC:H) due to ASLR brute-forcing of libdsplibs base address, but no authentication or user interaction is needed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jjr5-fpcg-gc53: A stack-based buffer overflow in Ivanti Connect Secure before version 22
ghsa_unreviewed·2025-04-03
CVE-2025-22457 [CRITICAL] CWE-121 GHSA-jjr5-fpcg-gc53: A stack-based buffer overflow in Ivanti Connect Secure before version 22
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
VulnCheck
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-22457 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Required Action: Apply mitigations as set forth in the CISA instructions linked below.
Known Ransomware Campaign Use: Known
Exploitation References: https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability; https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457; https://www.ivanti.com/blog/security-update-pulse-connect-se
Ivanti
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
vendor_ivanti·2025-04-04·CVSS 9.0
CVE-2025-22457 [CRITICAL] Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
CVE IDs: CVE-2025-22457
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations as set forth in the CISA instructions linked below.
Remediation Due Date: 2025-04-11
Known to be used in ransomware campaigns.
CISA
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
cisa·2025-04-04·CVSS 9.8
CVE-2025-22457 [CRITICAL] CWE-121 Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Vulnerability: Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability
Affected: Ivanti Connect Secure, Policy Secure, and ZTA Gateways
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
Required Action: Apply mitigations as set forth in the CISA instructions linked below.
Notes: CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-22457 ; Additional References: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 ; https://nvd.nist.gov/vuln/detail/CVE-2025-22457
Remediation Due Date: 2025-04-11
No detection rules found.
Metasploit
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
metasploit·CVSS 9.8
CVE-2025-22457 [CRITICAL] Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
This module exploits a Stack-based Buffer Overflow vulnerability in Ivanti Connect Secure to achieve remote code execution (CVE-2025-22457). Versions 22.7R2.5 and earlier are vulnerable. Note that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways are also vulnerable but this module doesn't support this software. Heap spray is used to place our payload in memory at a predetermined location. Due to ASLR, the base address of `libdsplibs` is unknown. This library is used by the exploit to build a ROP chain and get command execution. As a result, the module will brute force this address starting from the address set by the `LIBDSPLIBS_ADDRESS` option.
Nuclei
Ivanti Connect Secure - Stack-based Buffer Overflow
nuclei·CVSS 9.8
CVE-2025-22457 [CRITICAL] Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure - Stack-based Buffer Overflow
Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4,
and Ivanti ZTA Gateways before version 22.8R2.2 contain a stack-based buffer overflow caused by
improper input handling, allowing remote attackers to execute arbitrary code without authentication.
Template:
id: CVE-2025-22457
info:
name: Ivanti Connect Secure - Stack-based Buffer Overflow
author: s4e-io,pussycat0x
severity: critical
description: |
Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4,
and Ivanti ZTA Gateways before version 22.8R2.2 contain a stack-based buffer overflow caused by
improper input handling, allowing remote attackers to execute arbitrary code without authentication.
impact: |
R
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Crying Out Cloud Newsletter - May 2025 | Wiz
blogs_wiz·2025-05-01·CVSS 10.0
CVE-2025-32433 [CRITICAL] Crying Out Cloud Newsletter - May 2025 | Wiz
Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
Here are our top picks of cloud security highlights!
Hype or no hype – Critical Vulnerability in Erlang/OTP SSH Implementation
CVE-2025-32433 is a critical vulnerability (CVSS 10.0) in the Erlang/Open Telecom Platform (OTP) SSH implementation that allows unauthenticated remote attackers to execute arbitrary code by exploiting flaws in how the SSH protocol sequence is handled. Specifically, the vulnerability stems from the improper enforcement of message ordering, enabling attackers to send malicious SSH protocol messages before authentication and gain code executi
Tenable
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
blogs_tenable·2025-04-25
Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Zscaler
2025 VPN Risk Report Blog | Zscaler
blogs_zscaler·2025-04-10
2025 VPN Risk Report Blog | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
7th April – Threat Intelligence Report
blogs_checkpoint·2025-04-07
CVE-2024-20439 7th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 7th April, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The second-largest bar association in the US, The State Bar of Texas, has experienced a ransomware attack that resulted in unauthorized access to its network, exposing sensitive member information including full names and legal case documents. The INC ransomware gang claimed responsibility for the attack and has already leaked
Bleepingcomputer
Ivanti patches Connect Secure zero-day exploited since mid-March
blogs_bleepingcomputer·2025-04-03·CVSS 9.0
CVE-2025-22457 [CRITICAL] Ivanti patches Connect Secure zero-day exploited since mid-March
## Ivanti patches Connect Secure zero-day exploited since mid-March
## Sergiu Gatlan
Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
Tracked as CVE-2025-22457 , this critical security flaw is due to a stack-based buffer overflow weakness. It impacts Pulse Connect Secure 9.1x (which reached end-of-support in December), Ivanti Connect Secure 22.7R2.5 and earlier, Policy Secure, and Neurons for ZTA gateways.
According to Ivanti's advisory , remote threat actors can exploit it in high-complexity attacks that don't require authentication or user interaction. The company patched the vulnerability on February 11, 2025, with the release of Iva
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
## H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
H1 2025 Malware and Vulnerability Trends
blogs_recorded_future
H1 2025 Malware and Vulnerability Trends
# H1 2025 Malware and Vulnerability Trends
## Executive Summary
The first half of 2025 (H1 2025) reflected a rapidly evolving threat landscape defined by the convergence of persistent legacy threats and advanced new tactics.
The total disclosed CVEs increased by 16% from H1 2024, and threat actors exploited 161 vulnerabilities with assigned CVEs, with nearly half linked to malware or ransomware campaigns. Microsoft remained the most targeted vendor, while edge security and gateway devices continued to be high-value targets for initial access. Malware activity was similarly dynamic: while law enforcement takedowns disrupted major players like LummaC2, a resurgence of legacy malware such as Sality indicated that old tools still offer utility for modern actors. Remote access trojans (RATs)
arXiv
Where Do LLM-based Systems Break? A System-Level Security Framework for Risk Assessment and Treatment
arxiv_fulltext·2026-03-08
Where Do LLM-based Systems Break? A System-Level Security Framework for Risk Assessment and Treatment
Where Do LLM-based Systems Break? A System-Level Security Framework for Risk Assessment and Treatment
Neha Nagaraja
School of Informatics, Computing, and Cyber Systems
Northern Arizona University
Flagstaff, USA
[email protected]
Hayretdin Bahsi1,2
1School of Informatics, Computing, and Cyber Systems
Northern Arizona University, Flagstaff, USA
2Department of Software Science
Tallinn University of Technology, Tallinn, Estonia
[email protected]
Abstract - Large Language Models (LLMs) are increasingly integrated into safety-critical workflows, yet existing security analyses remain fragmented and often isolate model behavior from the broader system context. This work introduces a goal-driven risk assessment framework for LLM-powered systems that combines system modeling with Attack–
arXiv
SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution
arxiv_fulltext·2026-02-02
SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution
SysFuSS: System-Level Firmware Fuzzing with Selective Symbolic Execution
-0.2in
Dakshina Tharindu
University of Florida
Aruna Jayasena
University of Florida
Prabhat Mishra
University of Florida
## Abstract
Firmware serves as the critical interface between hardware and software in computing systems, making any bugs or vulnerabilities particularly dangerous as they can cause catastrophic system failures. While fuzzing is a promising approach for identifying design flaws and security vulnerabilities, traditional fuzzers are ineffective at detecting firmware vulnerabilities. For example, existing fuzzers focus on user-level fuzzing, which is not suitable for detecting kernel-level vulnerabilities. Existing fuzzers also face a coverage plateau problem when dealing with complex interact
2025-04-03
Published
2025-04-04
Added to CISA KEV
Exploited in the wild