Aperçu
A stack-based buffer overflow vulnerability exists in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways due to improper input handling. This vulnerability allows remote attackers to execute arbitrary code without authentication over the network. La vulnérabilité a été divulguée le April 3, 2025. CISA a identifié CVE-2025-22457 comme étant exploitée et est connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability is a stack-based buffer overflow caused by improper input validation and handling in network-facing components of Ivanti's VPN and zero-trust gateway solutions. The affected code does not properly validate the length of user-supplied input before copying it to a fixed-size stack buffer, allowing an attacker to overflow the buffer and overwrite the stack frame return address with arbitrary values.
La vulnérabilité est classifiée comme CWE-674 (Uncontrolled Recursion) , CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) etCWE-121 (Stack-based Buffer Overflow) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the vulnerable service (typically root or SYSTEM level on gateway appliances). This could result in complete compromise of the VPN/ZTA gateway, theft of sensitive data including VPN credentials and traffic, modification of gateway configuration, deployment of persistent backdoors, lateral movement into protected networks, and denial of service.
Mitigation et contournements
Upgrade to the patched versions immediately. Detailed upgrade procedures are available in Ivanti's security advisory documentation. For Connect Secure and Policy Secure, apply the 22.7R2.6 and 22.7R1.4 patches respectively. For ZTA Gateways, update to 22.8R2.2 or later. Les versions suivantes incluent les correctifs nécessaires : Ivanti Connect Secure 22.7R2.6 or later, Ivanti Policy Secure 22.7R1.4 or later, Ivanti ZTA Gateways 22.8R2.2 or later.
Comme contournements temporaires : implement network segmentation and restrict access to the vpn/zta gateway to trusted ip ranges only, using firewall rules or security groups to limit exposure.; deploy the vulnerable systems behind a web application firewall (waf) or intrusion prevention system (ips) configured with rules to detect and block buffer overflow attack patterns., et disable unnecessary network services and features on the ivanti appliance if not required for business operations..
Recommandation de CISA : Apply mitigations as set forth in the CISA instructions linked below.
Ressources additionnelles
Source : Ce rapport a été généré par IA
