Skip to main content
close search
site logo
Dive Brief

Over 5K Ivanti VPNs vulnerable to critical bug under attack

China-linked threat actors in the last month began exploiting CVE-2025-22457, a critical stack buffer-overflow flaw.

Published April 8, 2025
By
Contributing Reporter
Photograph depicts a security scanner extracting virus from a string of binary code.
Hailshadow via Getty Images

Dive Brief:

  • The Shadowserver Foundation found 5,113 Ivanti VPN instances that are vulnerable to CVE-2025-22457, a critical stack-based buffer overflow flaw that affects Ivanti Connect Secure.

  • The vulnerability has already been exploited in the wild. Mandiant observed a suspected Chinese nation-state threat group exploiting CVE-2025-22457 in a cyber espionage activity that began in mid-March. The Cybersecurity and Infrastructure Security Agency added the flaw to its known exploited vulnerabilities catalog on Friday.

  • CVE-2025-22457 affects other products such as Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways. However, both Ivanti and Mandiant said the vulnerability has only been exploited against the Ivanti Connect Secure VPN devices.

Dive Insight:

According to scans run on April 6, Shadowserver found 5,113 vulnerable Ivanti Connect Secure instances, with the majority located in the U.S., Japan and China. Shadowserver scan results for Monday show a slight drop in vulnerable devices to 5,027.

However, Shadowserver noted that CVE-2025-22457 affects more than just Ivanti Connect Secure devices. "Note that according to Ivanti, the vulnerability was patched in a Feb 11, 2025 release. However, a large set of what is affected are older Pulse Connect Secure 9.x (end-of-support as of December 31, 2024) without a patch," Shadowserver said in a post on X Monday.

According to Ivanti's advisory for CVE-2025-22457, Pulse Connect Secure 9.1x versions no longer receive any code changes. "Ivanti cannot provide guidance to customers to stay on an unsupported version. Customers' only option is to migrate to a secure platform to ensure their security," the advisory said.

However, Ivanti said the risk of exploitation against other products is lower. For Ivanti Policy Secure, the company said the risk is "greatly reduced as it is not intended to be internet facing." A patch will be released for Ivanti Policy Secure on April 21, the advisory said.

For Ivanti ZTA Gateways, the advisory said the CVE cannot be exploited while instances are in production. "If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway," Ivanti said, adding that a patch is scheduled to be released on April 19.

Prior to public disclosure, Ivanti released a patch in February addressing CVE-2025-22457 Ivanti Connect Secure with version 22.7R2.6. But at that time, Ivanti mistakenly believed that the flaw was low-risk and could only be used in denial-of-service attacks. However, Mandiant later discovered exploitation activity on CVE-2025-22457 that involved China-nexus actors achieving remote code execution on vulnerable VPNs.

Filed Under: Cyberattacks, Threats

Editors' picks

Company Announcements

View all | Post a press release
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
360 Privacy Announces Strategic Executive Appointments Following $36 Million Growth Investment
From 360 Privacy
March 31, 2025
Editors' picks
Latest in Cyberattacks
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.