Full Report
Ivanti has disclosed details of a now-patched critical security vulnerability impacting its Connect Secure that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-22457 (CVSS score: 9.0), concerns a case of a stack-based buffer overflow that could be exploited to execute arbitrary code on affected systems. "A stack-based buffer overflow in Ivanti Connect
Analysis Summary
# Vulnerability: Critical Buffer Overflow in Ivanti Connect Secure Leading to RCE (CVE-2025-22457)
## CVE Details
- CVE ID: CVE-2025-22457
- CVSS Score: 9.0 (Critical)
- CWE: Stack-based buffer overflow (Inferred)
## Affected Systems
- Products: Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateways
- Versions:
- Ivanti Connect Secure: 22.7R2.5 and prior
- Pulse Connect Secure: 9.1R18.9 and prior (End-of-Support as of Dec 31, 2024)
- Ivanti Policy Secure: 22.7R1.3 and prior
- ZTA Gateways: 22.8R2 and prior
- Configurations: Applicable to unpatched firmware versions.
## Vulnerability Description
The vulnerability is a **stack-based buffer overflow** that, when exploited, allows a **remote, unauthenticated attacker** to achieve **Remote Code Execution (RCE)** on the affected appliances.
## Exploitation
- Status: **Exploited in the wild** (Observed active exploitation since mid-March 2025 against Connect Secure and end-of-support Pulse Secure appliances). No evidence of in-the-wild abuse for Policy Secure or ZTA Gateways.
- Complexity: Low (For initial RCE setup by known threat actor)
- Attack Vector: Network (Remote, Unauthenticated)
### Observed Malicious Activity (CVE-2025-22457)
Exploitation attributed to China-nexus adversary UNC5221 was observed delivering a multi-stage attack involving:
1. An in-memory dropper called **TRAILBLAZE**.
2. A passive backdoor named **BRUSHFIRE**, injected directly into the memory of a running web process to avoid detection.
3. The **SPAWN** malware suite.
The goal of the exploitation is to establish persistent backdoor access.
## Impact
- Confidentiality: High (Due to the potential for credential theft and data exfiltration enabled by subsequent malware)
- Integrity: High (Arbitrary code execution)
- Availability: High (Potential for system compromise/disruption)
## Remediation
### Patches
Patches have been released for some products, with others pending:
- Ivanti Connect Secure: Fixed in version **22.7R2.6** (Patch released February 11, 2025).
- Pulse Connect Secure: Users must migrate to version **22.7R2.6** (requires contact with Ivanti due to end-of-support status).
- Ivanti Policy Secure: Fixed in version **22.7R1.4** (To be available April 21).
- ZTA Gateways: Fixed in version **22.8R2.2** (To be available April 19).
### Workarounds
- Customers with compromised ICT (Ivanti Connect Secure) appliances should **perform a factory reset** on the appliance and then restore it into production using the patched version (**22.7R2.6**).
- **Monitor external ICT** for signs of compromise generally.
## Detection
- **Indicators of Compromise:** Look for web server crashes immediately preceding sustained malicious activity. Observe for unauthorized execution of multi-stage shell scripts leading to in-memory execution of TRAILBLAZE or BRUSHFIRE.
- **Detection Methods and Tools:** Monitor network traffic and endpoint activity for persistence mechanisms or the presence of TRAILBLAZE, BRUSHFIRE, or SPAWN malware signatures.
## References
- Vendor Advisory: hxxps://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US
- Mandiant Bulletin: hxxps://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability
- Related Patch Information: hxxps://thehackernews.com/2025/02/ivanti-patches-critical-flaws-in.html