Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | 3 MIN READ

CREATED ON April 09, 2025

CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained

On April 3rd, 2025, Ivanti disclosed a critical vulnerability affecting their Connect Secure, Policy Secure, and ZTA Gateways products [1]. CVE-2025-22457 is a buffer overflow vulnerability that allows unauthenticated attackers to achieve remote code execution. The vulnerability is actively exploited by the Chinese APT group UNC5221.

In this blog, we explained how the Ivanti CVE-2025-22457 vulnerability works and how organizations can defend against CVE-2025-22457 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Ivanti CVE-2025-22457 Vulnerability Explained

Ivanti Connect Secure (ICS), Policy Secure, and ZTA Gateway are enterprise security products designed to provide secure remote access, enforce access policies, and support zero-trust architectures. These products are often deployed at the perimeter of enterprise networks and mediate access to internal systems. Their main user base is medium to large enterprises, government agencies, and critical infrastructure organizations that require secure, scalable, and policy-driven remote access solutions.

On April 3rd, 2025, Ivanti published a security advisory about a critical security vulnerability that has been confirmed as actively exploited in the wild. CVE-2025-22457 has a CVSS score of 9.8 (Critical) and allows remote unauthenticated attackers to achieve remote code execution. This vulnerability affects the Ivanti products listed below, and organizations are advised to patch their vulnerable appliances without delay.

Product Name

Affected Versions

Fixed Versions

Ivanti Connect Secure

22.7R2.5 and prior

22.7R2.6

Pulse Connect Secure (EoS)

9.1R18.9 and prior

22.7R2.6

Ivanti Policy Secure

22.7R1.3 and prior

22.7R1.4

ZTA Gateways

22.8R2 and prior

22.8R2.2

How Ivanti CVE-2025-22457 Exploit Works?

CVE-2025-22457 is a stack-based buffer overflow. The affected Ivanti products do not properly validate the length of data provided in the X-Forwarded-For HTTP header. Attackers can send a specially crafted HTTP request with an overly long X-Forwarded-For header to trigger the buffer overflow. However, exploiting the vulnerability for achieving reliable remote code execution requires a high degree of sophistication. 

The example HTTP POST request below can be used to validate the exploitability of the CVE-2025-22457 vulnerability [2].

POST HTTP/1.1

Host: <IP_of_vulnerable_Ivanti_product>

X-Forwarded-For: 11111………11111 (too many 1s) 

Ivanti CVE-2025-22457 Vulnerability Exploit Example

UNC5221 and Post-Exploitation Attempts

CVE-2025-22457 vulnerability has been actively exploited by Chinese APT group UNC5221 to deploy malware and backdoors since mid-March 2025. Adversaries were observed launching multi-stage intrusions that deployed advanced malware, such as TRAILBLAZE and BRUSHFIRE, alongside components from their modular SPAWN malware ecosystem. 

  • TRAILBLAZE is a custom in-memory-only malware dropper that is designed to be as minimalistic and stealthy as possible. It uses raw syscalls to evade traditional detection mechanisms and reduce forensic artifacts. 

  • BRUSHFIRE is a passive backdoor that intercepts SSL/TLS encrypted data within a compromised Ivanti appliance.

  • SPAWNSLOTH is a log tampering tool that disables logging on the Ivanti device by targeting the dslogserver process. It silences both local and remote syslog logging to hide attacker activity.

  • SPAWNWAVE is a loader that combines capabilities from other modules and acts as a central component to deploy additional implants or webshells.

How Picus Helps Simulate Ivanti CVE-2025-22457 Attacks?

We also strongly suggest simulating the Ivanti CVE-2025-22457 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Ivanti CVE-2025-22457 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

20849

Ivanti Connect Secure Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "Security Update: Pulse Connect Secure, Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways," Apr. 03, 2025. Available: https://www.ivanti.com/blog/security-update-pulse-connect-secure-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

[2] A. Hammond, "Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457)," watchTowr Labs, Apr. 04, 2025. Available: https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/

Table of Contents

MITRE ATT&CK T1562.012 Impair Defenses: Disable or Modify Linux Audit System
MITRE ATT&CK MITRE ATT&CK T1562.012 Impair Defenses: Disable or Modify Linux Audit System
Learn More
MITRE ATT&CK T1562.011 Impair Defenses: Spoof Security Alerting
MITRE ATT&CK MITRE ATT&CK T1562.011 Impair Defenses: Spoof Security Alerting
Learn More
MITRE ATT&CK T1562.010 Impair Defenses: Downgrade Attack
MITRE ATT&CK MITRE ATT&CK T1562.010 Impair Defenses: Downgrade Attack
Learn More
MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
MITRE ATT&CK MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
Learn More
MITRE ATT&CK T1562.008 Impair Defenses: Disable or Modify Cloud Logs
MITRE ATT&CK MITRE ATT&CK T1562.008 Impair Defenses: Disable or Modify Cloud Logs
Learn More
MITRE ATT&CK T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
MITRE ATT&CK MITRE ATT&CK T1562.007 Impair Defenses: Disable or Modify Cloud Firewall
Learn More
MITRE ATT&CK T1562.006 Impair Defenses: Indicator Blocking
MITRE ATT&CK MITRE ATT&CK T1562.006 Impair Defenses: Indicator Blocking
Learn More
MITRE ATT&CK T1562.004 Impair Defenses: Disable or Modify System Firewall
MITRE ATT&CK MITRE ATT&CK T1562.004 Impair Defenses: Disable or Modify System Firewall
Learn More
MITRE ATT&CK T1562.002 Impair Defenses: Disable Windows Event Logging
MITRE ATT&CK MITRE ATT&CK T1562.002 Impair Defenses: Disable Windows Event Logging
Learn More