Critical Ivanti Vulnerability CVE-2025-22457: What You Need to Know

A critical remote code execution (RCE) vulnerability (CVE-2025-22457) was found in Ivanti’s Connect Secure (ICS), Policy Secure, Pulse Connect Secure (PCS), and ZTA Gateways in April 2025. This vulnerability enables unauthenticated attackers to run arbitrary code on affected devices by utilising a stack-based buffer overflow in the X-Forwarded-For http request header. According to threat intelligence reports – UNC5221, a China-affiliated APT group, is actively exploiting this vulnerability to target the telecom, government, and defense industries.

In this blog, we’ll break down:

• What is CVE-2025-22457

• How Attackers exploit CVE-2025-22457

• Detection of Vulnerable Devices

• Mitigation strategies

• Conclusion

What Is CVE-2025-22457?

CVE-2025-22457 is a stack-based buffer overflow vulnerability in Ivanti secure access appliances, which arises from lack of proper input validation when handling the X-Forwarded-For HTTP header. Attackers can craft a malicious HTTP request containing an overly long X-Forwarded-For request header value, which would lead to memory corruption and possible remote code execution (RCE) 

Key Details

• Severity: Critical (CVSS 9.8)
• Affected Products:
• • Ivanti Connect Secure (ICS) ≤ 22.7R2.5
  • Pulse Connect Secure (PCS) ≤ 9.1R18.9 (End-of-Life Dec 2024)
  • Ivanti Policy Secure ≤ 22.7R1.3
  • ZTA Gateways ≤ 22.8R2
• Exploitation Status: Active in the wild (UNC5221 Threat Actor)

How Attackers Exploit CVE-2025-22457

Step 1: Identifying Vulnerable Systems

Attackers scan for vulnerable Ivanti appliances using search engines like Shodan, Censys, or mass scanning tools with queries like:

Searching Shodan for Vulnerable instances of Ivanti Connect Secure

Step 2: Crafting the Malicious HTTP Request

The exploit involves sending a specially crafted HTTP request with an overly long X-Forwarded-For header:

Step 3: Triggering the Buffer Overflow

1. The vulnerable Ivanti appliance does not perform header length validation resulting in a stack overflow.
2. Attackers overwrite crucial memory locations with malicious shellcode and redirect execution to malicious shellcode embedded in the http request
3. Arbitrary code execution is achieved to deploy malware.

Detection of Vulnerable Instances

Security researchers and administrators can use publicly available Python scripts to identify instances of Ivanti’s Connect Secure (ICS), Policy Secure, Pulse Connect Secure (PCS), and ZTA Gateway that are vulnerable to CVE-2025-22457. A script for detecting this vulnerability can be found here.

Mitigation Strategies

1. Patch Immediately

Upgrade to the Resolved Versions presented in above image above

2. Restrict Access to Management Interfaces

• Ivanti admin panels should be whitelist to a fixed range of IP rangers for maintenance and updation
• Implement VPN + MFA for remote administration.

3. Network Segmentation

• Isolate Ivanti appliances away from key internal networks.
• Watch east-west traffic to detect lateral movement.

Conclusion

CVE-2025-22457 highlights the risks of insecure input validation within enterprise network appliances. Attackers are able to bypass authentication, execute code, and use malware to ensure persistent access by taking advantage of this vulnerability. Organizations have to take prompt action to patch exposed systems, impose rigorous access controls, and detect and monitor attempts at exploitation.