Ivanti Connect Secure RCE Vulnerability Actively Exploited in the Wild \u2013 Apply Patch Now!
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Ivanti has disclosed a critical vulnerability, CVE-2025-22457, affecting its Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways products that are actively exploited in the wild.<\/p>\n
This stack-based buffer overflow flaw, with a CVSS score of 9.0, has been actively exploited since mid-March 2025, posing significant risks to organizations using these VPN and network access solutions.<\/p>\n
CVE-2025-22457 is a stack-based buffer overflow (CWE-121) that allows a remote, unauthenticated attacker to achieve remote code execution (RCE). <\/p>\n
The flaw arises from improper input validation, enabling attackers to overflow the buffer and execute arbitrary code. <\/p>\n
\u201cThis advisory has been updated to make it clear the vulnerability was fully patched in Ivanti Connect Secure\u201d Ivanti Said.<\/p>\n
Ivanti disclosed the vulnerability on April 3, 2025, but Mandiant reports exploitation by UNC5221, a suspected Chinese state-sponsored group, since mid-March. UNC5221, known for targeting edge devices, has previously exploited Ivanti zero-days like CVE-2023-46805.<\/p>\n
Attackers use CVE-2025-22457 to deploy malware<\/a> such as Trailblaze (an in-memory dropper), Brushfire (a passive backdoor), and the Spawn suite for credential theft and lateral movement. Post-exploitation, they tamper with logs using tools like SPAWNSLOTH to evade detection.<\/p>\n The vulnerability was patched in Ivanti Connect Secure version 22.7R2.6 on February 11, 2025, initially considered a low-risk denial-of-service issue due to its limited character set (periods and numbers). <\/p>\n However, UNC5221 likely reverse-engineered the patch, developing an RCE exploit for unpatched systems, escalating its severity.<\/p>\n Ivanti confirmed<\/strong><\/a> that a limited number of customers running Ivanti Connect Secure (22.7R2.5 or earlier) and Pulse Connect Secure 9.1x appliances were compromised. Details include:<\/p>\n Ivanti recommends monitoring the Integrity Checker Tool (ICT) for signs of compromise, such as web server crashes. If detected, a factory reset and upgrade to 22.7R2.6 are advised. Mandiant\u2019s blog provides additional indicators of compromise. A post on X by<\/p>\n @nekono_naha on April 4, 2025, noted that of 12,471 exposed Ivanti\/Pulse Connect Secure servers, 66% (8,246) are vulnerable, with 50% (6,049) on pre-9.x versions, highlighting the urgency of patching.<\/p>\n This incident marks Ivanti\u2019s 15th appearance in CISA\u2019s Known Exploited Vulnerabilities catalog since 2024, signaling systemic security challenges with its edge devices. <\/p>\n UNC5221\u2019s involvement underscores the geopolitical stakes, as China-linked actors increasingly target infrastructure for espionage. The delayed disclosure despite the February patch reveals gaps in vulnerability management. <\/p>\n Initially underestimated as a low-risk issue, the flaw\u2019s exploitability allowed attackers a month-long window before public disclosure, emphasizing the need for faster threat intelligence sharing.<\/p>\n Organizations should act swiftly:<\/p>\n The exploitation of CVE-2025-22457 highlights the persistent threats to network edge devices. As state-sponsored actors like UNC5221 target such vulnerabilities, organizations must prioritize timely patching and secure deployment. <\/p>\n Ivanti\u2019s response addresses supported versions, but legacy systems remain a challenge, underscoring the need for robust cybersecurity practices in an evolving threat landscape.<\/p>\n The post Ivanti Connect Secure RCE Vulnerability Actively Exploited in the Wild \u2013 Apply Patch Now!<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAffected Systems and Patch Availability<\/strong><\/h2>\n
\n
Detection and Mitigation<\/strong><\/h2>\n
Recommendations for Organizations<\/strong><\/h2>\n
\n
Find this News Interesting! Follow us on\u00a0<\/strong>Google News<\/strong><\/a>,\u00a0<\/strong>LinkedIn<\/strong><\/a>, and\u00a0<\/strong>X<\/strong><\/a>\u00a0to Get Instant Updates<\/strong><\/code><\/strong><\/code><\/strong><\/p>\n