Cloud Security · Research

CISA Adds Actively Exploited Ivanti Connect Secure Flaw CVE-2025-22457 to KEV Catalog

Technician performing urgent integrity checks and remediation on an internet-facing Ivanti Connect Secure remote-access gateway after CISA KEV listing of CVE-2025-22457
AK
Alex Kim
Threat intelligence editor · Updated Jul 15, 2026, 4:31 PM EDT

CISA Adds Actively Exploited Ivanti Connect Secure Flaw CVE-2025-22457 to KEV Catalog

CISA Adds Actively Exploited Ivanti Connect Secure Flaw CVE-2025-22457 to KEV Catalog

Federal civilian agencies and enterprise operators of Ivanti remote-access gateways face an urgent remediation window after the Cybersecurity and Infrastructure Security Agency added a critical stack-based buffer overflow in Ivanti Connect Secure to its Known Exploited Vulnerabilities catalog on April 4, 2025. The vulnerability, tracked as CVE-2025-22457, enables unauthenticated remote code execution and has been actively exploited at limited scale against internet-facing Connect Secure and end-of-support Pulse appliances since mid-March 2025, turning perimeter VPN gateways into high-value initial-access footholds.

The flaw is a stack-based buffer overflow (CWE-121 / CWE-787) reachable over the network without authentication. NIST rates it CVSS 9.8 (Critical) under the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; Ivanti’s scoring is 9.0 Critical with higher attack complexity. Successful exploitation grants full control of the appliance, enabling credential and certificate theft, lateral movement, and persistent access on devices that frequently lack endpoint detection. Researchers linked the overflow to processing of the X-Forwarded-For header under constrained character space. Ivanti initially assessed the issue as a low-risk denial-of-service condition and shipped a fix in Connect Secure 22.7R2.6 on February 11, 2025. Sophisticated actors reverse-engineered that patch and weaponized earlier builds for reliable remote code execution.

AttributeDetail
CVE IDCVE-2025-22457
TypeStack-based buffer overflow
Attack vectorNetwork, unauthenticated
ImpactRemote code execution → appliance control
CVSS (NIST)9.8 Critical
CVSS (Ivanti)9.0 Critical
Exploitation observedMid-March 2025 onward (limited scale)

Affected products and exposure

  • Ivanti Connect Secure: versions before 22.7R2.6 (including 22.7R2.5 and earlier, plus older 22.7R1.x lines). End-of-support Pulse Connect Secure 9.1x is also affected and has been exploited.
  • Ivanti Policy Secure: versions before 22.7R1.4.
  • Ivanti Neurons for ZTA Gateways / Zero Trust Access Gateways: versions before 22.8R2.2.

Internet-facing remote-access and VPN gateways remain the primary risk surface. Exploitation in the wild has concentrated on Connect Secure and legacy Pulse appliances; at disclosure Ivanti reported no confirmed exploitation against Policy Secure or ZTA Gateways, though the remote-code-execution path exists across the product family. Compromised gateways commonly yield domain credentials, API keys, certificates, and a privileged pivot into internal networks—especially dangerous because many organizations treat these appliances as semi-trusted edge infrastructure.

CISA KEV deadline and consolidated remediation

CISA added CVE-2025-22457 to the KEV catalog on April 4, 2025. Under Binding Operational Directive 22-01, federal civilian executive branch agencies must apply the mitigations set forth in CISA’s instructions by April 11, 2025. A patch has been available for Connect Secure since February 11, 2025: upgrade to 22.7R2.6 or later. Policy Secure requires 22.7R1.4 (approximately April 21, 2025); ZTA Gateways require 22.8R2.2 (approximately April 19, 2025). Patching alone does not remove prior compromise.

Prioritized actions for all operators:

  1. Inventory every internet-facing and internal Ivanti Connect Secure, Policy Secure, ZTA Gateway, and remaining Pulse Connect Secure 9.x appliance; confirm version status.
  2. Run the external Integrity Checker Tool (ICT) immediately; treat any anomaly as compromise until proven otherwise. Escalate hits to Ivanti Support.
  3. Isolate or disconnect vulnerable internet-facing appliances until patched; treat any instance not updated to 22.7R2.6 by February 28, 2025, and all end-of-support Pulse/Policy Secure/ZTA instances with elevated suspicion.
  4. Hunt systems currently or recently connected to the appliance for lateral movement, anomalous IdP/AD authentication, unexpected outbound traffic, and the filesystem/process artifacts listed below.
  5. If no compromise is found: factory-reset (known-clean external image for cloud/virtual), apply the fixed build, monitor authentication services, and audit privileged accounts.
  6. If compromise cannot be ruled out: isolate → forensic image (including memory) → factory reset with clean image → revoke and reissue certificates, API keys, admin enable password, local users and service accounts → reset domain passwords twice and revoke Kerberos tickets/cloud tokens → patch → restore under enhanced monitoring.
  7. Ingest published YARA rules for SPAWNANT, SPAWNSNARE, SPAWNSLOTH and related families; report confirmed incidents to CISA ([email protected] or (888) 282-0870) and Ivanti.
Sample MD5FamilyPath example
4628a501088c31f53b5c9ddf6788e835TRAILBLAZE/tmp/.i
e5192258c27e712c7acf80303e68980bBRUSHFIRE/tmp/.r
6e01ef1367ea81994578526b3bd331d6SPAWNSNARE/bin/dsmain
ce2b6a554ae46b5eb7d79ca5e7f440daSPAWNWAVE/lib/libdsupgrade.so
10659b392e7f5b30b375b94cae4fdca0SPAWNSLOTH/tmp/.liblogblock.so

Additional hunting signals include temporary paths /tmp/.p, /tmp/.m, /tmp/.w, /tmp/.s; injection into /home/bin/web; SSL_read hooks; web-process core dumps; ICT statedump anomalies; disabled local or remote syslog (SPAWNSLOTH targeting dslogserver); and unusual client TLS certificates presented to the appliance.

Threat actors and TTPs

Google Threat Intelligence Group / Mandiant attributes exploitation of CVE-2025-22457 to UNC5221, a suspected China-nexus espionage actor with a multi-year history of zero-day and n-day exploitation of edge devices. The same actor previously exploited Ivanti flaws CVE-2025-0282, CVE-2023-46805, and CVE-2024-21887, as well as Citrix NetScaler CVE-2023-4966. Activity against CVE-2025-22457 began in mid-March 2025 at limited scale but with high sophistication.

Post-exploitation chain observed:

TRAILBLAZE injects BRUSHFIRE into a listening /home/bin/web process; BRUSHFIRE acts as a passive SSL_read hook that decrypts and executes shellcode when a specific string is received. The SPAWN family includes log-tampering (SPAWNSLOTH), kernel extraction/encryption (SPAWNSNARE), and multi-capability implants (SPAWNWAVE / SPAWNCHIMERA / RESURGE overlap). Actors have also attempted to modify the Integrity Checker Tool itself. Earlier UNC5221 campaigns used compromised Cyberoam, QNAP, and ASUS devices as an obfuscation network.

Implications for remote-access posture

CVE-2025-22457 continues a multi-year pattern of critical Ivanti Connect Secure and Pulse Secure flaws—including the January 2025 CVE-2025-0282/0283 and RESURGE wave and the 2023–2024 zero-days that drove Emergency Directive 24-01—exploited because edge VPN and ZTNA appliances sit at the perimeter, hold elevated privileges, and often lack modern endpoint telemetry. Organizations that still expose traditional remote-access gateways to the internet should treat them as high-value targets requiring continuous integrity verification, rapid patching, and aggressive credential hygiene. The short federal KEV deadline underscores residual risk for any unpatched or incompletely cleaned appliance. Longer-term, security leaders should evaluate architectural reductions in internet-facing appliance surface—favoring modern zero-trust access models with strong device posture and continuous verification—while ensuring remaining gateways receive the same scrutiny as critical servers.

Immediate inventory, ICT execution, patching to fixed builds, and thorough post-compromise secret rotation remain the highest-priority actions while exploitation of CVE-2025-22457 continues.