cbcvebase.
CVE-2025-22467
published 2025-02-11

CVE-2025-22467: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.71%
88.4th percentile
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
ivanticonnect_secure<= 22.7
ivanticonnect_secure

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-22467 is a stack-based buffer overflow (CWE-121) in Ivanti Connect Secure; target detection of authenticated remote exploitation attempts against ICS versions 22.7R2.5 and older
  • CVE-2025-22467 requires only low-privilege authenticated access (not admin) to exploit for RCE — monitor for anomalous authenticated sessions from low-privilege accounts performing unusual operations on ICS appliances
  • Pulse Connect Secure 9.x is also affected but will NOT receive patches — treat any 9.x deployment as permanently vulnerable and prioritize detection/isolation
  • ·No active in-the-wild exploitation reported at time of disclosure; however, Ivanti recommends immediate patching given CVSS 9.9 critical severity
  • ·Pulse Connect Secure 9.x reached End-of-Support December 31, 2024 and will not receive backported fixes for this vulnerability
  • ·Ivanti has provided no mitigations; patching to ICS 22.7R2.6 is the only recommended remediation
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.