Ivanti patches CVE-2025-22457 RCE in edge appliances
The bad cases are the boring ones: forgotten VPN and NAC boxes that still sit on trusted network paths.
TL;DR
MS-ISAC says CVE-2025-22457, a stack-based buffer overflow in Ivanti Connect Secure, Policy Secure and ZTA Gateways, allows unauthenticated remote code execution. Ivanti has confirmed exploitation against a limited number of Connect Secure 22.7R2.5-or-earlier and end-of-support Pulse Connect Secure 9.1x appliances. Primes, contractors, government agencies and MSPs should patch supported appliances immediately; Pulse 9.1x owners have a decommissioning problem, not a normal patch ticket.
Ivanti has patched CVE-2025-22457 in Connect Secure before 22.7R2.6, Policy Secure before 22.7R1.4 and ZTA Gateways before 22.8R2.2. The bug is a stack-based buffer overflow that allows a remote unauthenticated attacker to achieve remote code execution, according to the MS-ISAC advisory. That is the part compliance teams can put in the ticket. The part practitioners have to solve is nastier: these are edge-access appliances, and Ivanti says exploitation has already hit a limited number of Connect Secure 22.7R2.5-or-earlier and end-of-support Pulse Connect Secure 9.1x customer systems.
For federal contractors, government agencies and MSPs, this is not a generic perimeter vulnerability. Connect Secure is the remote-access path. Policy Secure is network access control. ZTA Gateway is in the access path to applications. Successful exploitation can let an attacker execute code in the system context and then install programs or view, change or delete data. In the wrong environment, that is a pivot point into the network, not merely a compromised appliance on an asset list.
The operational split is simple. Supported Ivanti Connect Secure, Policy Secure and ZTA Gateway deployments need emergency patching after whatever testing the organization can realistically do without converting "testing" into a delay strategy. Owners of Pulse Connect Secure 9.1x, which the advisory identifies as end-of-support, do not have the same patch path. Their choice is compensating controls while they rip out or replace an exposed appliance, or accepting that an unsupported remote-access gateway is now carrying active-exploitation risk.
The open questions matter during response. The advisory says exploitation is limited to a number of customers, but it does not tell asset owners whether those customers share a sector, geography or configuration. It also does not answer whether patching alone is enough for already-exposed systems, or whether organizations should assume compromise and perform appliance-level forensics before putting the box back into service. After the 2024 Ivanti gateway exploitation campaign, CISA and partners warned that threat actors could deceive Ivanti integrity-checking tools, which is exactly the kind of prior fact that should make defenders cautious about treating a clean post-patch dashboard as proof of a clean device: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
Published ·Deep Fathom