**Name of the Vulnerable Software and Affected Versions:**

Ivanti Connect Secure versions 22.7R2.5 and earlier

Ivanti Policy Secure versions 22.7R1.4 and earlier

Ivanti ZTA Gateways versions 22.8R2.2 and earlier

**Description:**

A stack-based buffer overflow vulnerability exists in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This vulnerability allows a remote, unauthenticated attacker to achieve remote code execution. The vulnerability was initially misdiagnosed as a low-risk issue but has been actively exploited by UNC5221, a suspected China-nexus threat actor, since mid-March 2025. Exploitation involves the use of malware families including TRAILBLAZE, BRUSHFIRE, and SPAWN. Over 5,000 Ivanti Connect Secure appliances are estimated to be vulnerable.

The vulnerability is triggered by manipulating the `X-Forwarded-For` header, leading to a buffer overflow in the HTTP(S) web server component.

**Recommendations:**

Ivanti Connect Secure versions prior to 22.7R2.6

Ivanti Policy Secure versions prior to 22.7R1.4

Ivanti ZTA Gateways versions prior to 22.8R2.2