CVE-2025-22457

What is Ivanti Connect Secure?

Ivanti Connect Secure (formerly Pulse Connect Secure) is one of the world's most widely deployed enterprise SSL VPN appliances, used by organizations globally to provide secure remote access for employees. It is a direct successor to the Pulse Secure VPN targeted by multiple devastating zero-days in 2021 (CVE-2021-22893, CVE-2019-11510). Ivanti Policy Secure provides network access control, and ZTA (Zero Trust Access) Gateways extend zero-trust architecture. Because Connect Secure is an internet-facing gateway that terminates VPN sessions for the entire organization, it is a high-value persistent target for nation-state actors seeking initial network access and credential harvest.

Overview

CVE-2025-22457 is a critical stack-based buffer overflow (CWE-121, CVSS 9.0) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The vulnerability was initially patched in ICS 22.7R2.6 (February 2025) as what Ivanti thought was a denial-of-service issue. However, UNC5221 — a China-nexus APT with a history of targeting Ivanti products — reverse-engineered the patch, identified the exploitable buffer overflow, and weaponized it for remote code execution against unpatched systems. By the time Ivanti disclosed the RCE severity in April 2025, UNC5221 had already been exploiting it for weeks. SPAWN malware (SPAWNANT, SPAWNMOLE, SPAWNSNAIL) was deployed for persistent access. CISA issued a 7-day remediation deadline.

Affected Versions

Technical Details

The vulnerability (CWE-121: Stack-Based Buffer Overflow) is in the HTTP request processing component of ICS. A crafted HTTP request with a specially sized value in a specific field triggers a stack buffer overflow — overwriting the saved return address on the stack and redirecting execution to attacker-controlled code. The High Complexity (AC:H) CVSS rating reflects a constraint in the overflow exploitation (specific conditions that the initial advisory described as making exploitation "difficult") — but these constraints were overcome by UNC5221's experienced reverse engineering team.

The Scope:Changed (S:C) rating reflects that the VPN appliance's trusted position in the network perimeter means successful exploitation reaches beyond the appliance itself into the corporate network.

The SPAWN malware family deployed post-exploitation:

• SPAWNANT: installer that modifies ICS system files for persistent backdoor
• SPAWNMOLE: SOCKS5 tunneler for covert C2 and lateral movement
• SPAWNSNAIL: SSH backdoor for persistent remote access

Discovery

Mandiant identified active in-the-wild exploitation by UNC5221 and reverse-engineered the attack to identify CVE-2025-22457 as the underlying vulnerability. Mandiant notified Ivanti that what was believed to be a DoS bug was actually an exploitable RCE.

Exploitation Context

UNC5221 (China-nexus APT) — the same group that exploited Ivanti/Pulse Secure zero-days in 2021 (CVE-2021-22893) — exploited CVE-2025-22457 against ICS 22.7R2.5 and earlier deployments beginning approximately 14 March 2025, roughly three weeks before Ivanti's public RCE disclosure. UNC5221 reverse-engineered the February 2025 patch diff to identify the exploitable overflow, then weaponized it. Mandiant confirmed exploitation across multiple victim organizations. CISA added CVE-2025-22457 to the KEV catalog on 4 April 2025 with a 7-day federal deadline (11 April 2025) and published dedicated mitigation instructions. ransomwareUse: true in the KEV listing indicates confirmed ransomware use by affiliated actors.

Remediation

1. Apply the ICS 22.7R2.6 update immediately — the fix was available since February 11, 2025. Organizations running 22.7R2.5 or earlier must patch now.
2. Follow CISA's dedicated mitigation instructions at https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-22457 — these include specific guidance for factory resetting and credential rotation for ICS appliances suspected of compromise.
3. Run Ivanti's Integrity Checker Tool (ICT) — Ivanti provides an ICT to detect signs of SPAWN malware or filesystem modification. A clean ICT result does not guarantee no compromise; CISA advises following the full CISA mitigation workflow regardless.
4. Assume breach if running 22.7R2.5 or earlier since mid-March: perform forensic analysis per CISA guidance including credential rotation, review of VPN session logs, and hunting for SPAWNANT/SPAWNMOLE/SPAWNSNAIL indicators.
5. Rotate all credentials accessible via VPN sessions: domain accounts, service accounts, cloud credentials — UNC5221 is known to harvest credentials from compromised VPN appliances.
6. Discontinue EoL versions (ICS 9.x) — no patch is available; these must be replaced.