CVE-2025-22457

Name of the Vulnerable Software and Affected Versions Ivanti Connect Secure versions prior to 22.7R2.6 Ivanti Policy Secure versions prior to 22.7R1.4 Ivanti ZTA Gateways versions prior to 22.8R2.2 Pulse Connect Secure versions 9.x

Description A stack-based buffer overflow in the HTTP(S) web server component allows a remote unauthenticated attacker to achieve remote code execution. The issue specifically exists in the function that processes the 'X-Forwarded-For' header; by manipulating the length of the header value, an attacker can overwrite key parts of the stack. This flaw has been actively exploited since mid-March 2025 by UNC5221, a suspected China-nexus espionage group, to deploy malware families including TRAILBLAZE, BRUSHFIRE, and the SPAWN suite. It is estimated that over 5,000 Ivanti Connect Secure appliances are at risk worldwide.

Recommendations Update Ivanti Connect Secure to version 22.7R2.6. Update Ivanti Policy Secure to version 22.7R1.4. Update Ivanti ZTA Gateways to version 22.8R2.2. Replace unsupported Pulse Connect Secure 9.x devices. Use the Ivanti ICT tool to check for compromise. Monitor devices for web server crashes, which may indicate exploitation attempts.