A critical vulnerability, CVE-2025-22457, has been identified in Ivanti’s Connect Secure, Policy Secure, and ZTA Gateway products. This stack-based buffer overflow allows unauthenticated remote attackers to execute arbitrary code on affected systems. The flaw affects versions prior to 22.7R2.6 for Connect Secure, 22.7R1.4 for Policy Secure, and 22.8R2.2 for ZTA Gateways .
Exploitation of this vulnerability has been observed in the wild, with threat actors deploying malware families such as TRAILBLAZE and BRUSHFIRE to establish persistent access and exfiltrate data . The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog and issued mitigation instructions .
Recommended Actions:
- Apply the latest patches provided by Ivanti:
- Connect Secure: Update to version 22.7R2.6 or later.
- Policy Secure: Update to version 22.7R1.4 or later.
- ZTA Gateways: Update to version 22.8R2.2 or later.
- Utilize Ivanti’s Integrity Checker Tool (ICT) to assess potential compromise.
- If compromise is suspected, perform a factory reset using a clean image and reapply configurations.
- Revoke and reissue any potentially exposed credentials, certificates, and API keys.
- Monitor systems for indicators of compromise and report any suspicious activity to CISA and Ivanti.
Organizations using affected Ivanti products should prioritize these actions to mitigate the risk associated with CVE-2025-22457.
