CISA Adds Actively Exploits Ivanti Connect Secure Vulnerability in Known Exploited Catalog
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457, a critical vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, to its Known Exploited Vulnerabilities (KEV) Catalog. <\/p>\n
This stack-based buffer overflow, actively exploited since mid-March 2025, allows remote unauthenticated attackers to achieve remote code execution (RCE), threatening organizations using these VPN and access solutions.<\/p>\n
CVE-2025-22457 is a stack-based buffer overflow (CWE-121) with a CVSS score of 9.0, enabling attackers to execute arbitrary code without authentication. <\/p>\n
It impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, End-of-Support since December 31, 2024), Ivanti Policy Secure (versions 22.7R1.3 and prior), and ZTA Gateways (versions 22.8R2 and prior). <\/p>\n
Ivanti patched Connect Secure<\/a> in version 22.7R2.6 on February 11, 2025, with patches for Policy Secure and ZTA Gateways due on April 21 and April 19, respectively.<\/p>\n CISA added<\/a> CVE-2025-22457 to the KEV Catalog on April 4, 2025, following reports of exploitation. UNC5221, known for targeting edge devices, has deployed malware like Trailblaz<\/a>e and Brushfire for persistent access and data theft. <\/p>\n Exploitation began in mid-March, likely after UNC5221 reverse-engineered the February patch, underscoring the need for immediate updates.<\/p>\n CISA\u2019s KEV Catalog, a vital resource for cybersecurity, lists vulnerabilities exploited in the wild to aid prioritization. Available in CSV, JSON, and print formats, it includes 1,314 entries. <\/p>\n CVE-2025-22457\u2019s addition highlights its urgency, with a mitigation due date of April 11, 2025. CISA recommends using the catalog alongside BOD 22-01 guidance for cloud services to enhance vulnerability management.<\/p>\n Start with threat hunting by using Ivanti\u2019s Integrity Checker Tool (ICT) to detect compromise, such as web server crashes, and perform threat hunts on connected systems.<\/p>\n If no compromise is detected, conduct a factory reset with a clean image for cloud\/virtual systems, apply patches per Ivanti\u2019s advisory (Connect Secure 22.7R2.6; Policy Secure and ZTA Gateways patches due April 21 and 19), monitor authentication services, audit privileged accounts, and consider disconnecting vulnerable devices until patched.<\/p>\n If a compromise is confirmed, isolate affected devices, take forensic images or coordinate with Ivanti, perform a factory reset with a clean image, revoke and reissue certificates, keys, and passwords (including admin and API credentials), reset domain account passwords twice, revoke Kerberos tickets, disable cloud-joined devices, apply patches, and report to CISA at Report@cisa.gov or (888) 282-0870, and to Ivanti.<\/p>\n This is Ivanti\u2019s 15th KEV entry since 2024, reflecting ongoing security issues with its edge devices. UNC5221\u2019s involvement signals espionage risks from China-linked actors targeting infrastructure. An X post by<\/p>\n CVE-2025-22457\u2019s inclusion in CISA\u2019s KEV Catalog emphasizes its immediate threat. With patches available <\/a>for Connect Secure and forthcoming for other products, organizations must act quickly to mitigate risks from sophisticated actors like UNC5221. <\/p>\n CISA\u2019s guidance and Ivanti\u2019s updates offer a clear path to secure systems and prevent further exploitation in a challenging cyber landscape.<\/p>\n The post CISA Adds Actively Exploits Ivanti Connect Secure Vulnerability in Known Exploited Catalog<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nActive Exploitation<\/strong><\/h2>\n
Recommended Actions<\/strong><\/h2>\n
Find this News Interesting! Follow us on\u00a0<\/strong>Google News<\/strong><\/a>,\u00a0<\/strong>LinkedIn<\/strong><\/a>, and\u00a0<\/strong>X<\/strong><\/a>\u00a0to Get Instant Updates<\/strong><\/code><\/strong><\/code><\/strong><\/p>\n