On 3 April 2025, Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This stack-based buffer overflow allows remote unauthenticated threat actors to achieve remote code execution (RCE) and has been exploited in the wild. At the time of writing, exploitation has only been observed in Connect Secure, not Policy Secure or ZTA Gateway. As a result, Ivanti prioritised patching Connect Secure first, with patches for the other products expected later in April.
Campaign Details
Google Threat Intelligence observed the exploitation of CVE-2025-22457 as early as mid-March 2025 and attributed the activity to the suspected China-nexus espionage group UNC5221. This threat actor is known to target edge devices across a wide range of countries and industries, leveraging the SPAWN ecosystem malware. The campaign, documented by Google, involved malware deployment after exploitation to carry out malicious activities, including data exfiltration, backdoor installation, and log tampering.
Recommendation For CVE-2025-22457
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product Name | Affected Version(s) | Fixed Version(s) | Patch Availability |
| Ivanti Connect Secure | 22.7R2.5 and prior | 22.7R2.6 (released February 2025) | Download Portal |
| Pulse Connect Secure (EoS) | 9.1R18.9 and prior | 22.7R2.6 | Contact Ivanti to migrate |
| Ivanti Policy Secure | 22.7R1.3 and prior | 22.7R1.4 | April 21 |
| ZTA Gateways | 22.8R2 and prior | 22.8R2.2 | April 19 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
Resources
