Threat Insight

CVE-2025-22457: Critical Ivanti Buffer Overflow Vulnerability Exploited

Ivanti has disclosed a stack-based buffer overflow vulnerability[1] with critical severity rating, which affects Connect Secure VPN appliances, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways.
If successfully exploited, an unauthenticated attacker could execute malicious commands on affected devices from a remote location.

Attackers exploit this vulnerability by deploying malware families such as TRAILBLAZE, BRUSHFIRE, and the SPAWN ecosystem. The attack chain involves using a multi-stage shell script dropper to execute TRAILBLAZE, which then injects BRUSHFIRE directly into the memory of a running web process.

  • Insight
Our advanced solution includes threat hunting and detects cyber threats that typically evade standard SOC detection methods.

CVE

CVE-2025-22457

Affected Products

Ivanti Connect Secure 22.7R2.5 and prior Pulse Connect Secure (EoS) 9.1R18.9 and prior Ivanti Policy Secure 22.7R1.3 and prior ZTA Gateways 22.8R2 and prior

Exploitation

Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X and 22.7R2.5 and earlier versions[2].

Threat Actor

Google Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 to the suspected China-nexus espionage actor UNC5221[2].

Ivanti Connect Secure: apply version 22.7R2.6 released Feb. 2025. Pulse Connect Secure 9.1x: contact Ivanti to migrate. This solution reached End-of-Support on December 31, 2024, and no longer receives any code changes. Ivanti Policy Secure: a patch is in development and will be available on April 21. The risk to this product is greatly reduced as it is not intended to be internet facing, making it crucial to verify that it is indeed not exposed to the internet. Ivanti ZTA Gateways: a patch is in development and will be automatically applied to environments on April 19. The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway[1]. If a compromise is suspected, conduct a thorough forensic investigation.

Detection

Ensure continuous monitoring of your external ICT environment for any web server crash indications. If your ICT results reveal signs of a security breach, conduct a factory reset on the affected appliance and reinitialize it with version 22.7R2.6 before returning it to active use[1]. Indicators of Compromise /tmp/.i 4628a501088c31f53b5c9ddf6788e835 In-memory dropper /tmp/.r e5192258c27e712c7acf80303e68980b Passive backdoor /bin/dsmain 6e01ef1367ea81994578526b3bd331d6 Kernel extractor & encryptor /lib/libdsupgrade.so ce2b6a554ae46b5eb7d79ca5e7f440da Implant utility /tmp/.liblogblock.so 10659b392e7f5b30b375b94cae4fdca0 Log tampering utility

References

[1] https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
[2] https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability