Overview
A stack-based buffer overflow vulnerability exists in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways due to improper input handling. This vulnerability allows remote attackers to execute arbitrary code without authentication over the network. The vulnerability was disclosed on April 3, 2025. CISA has identified CVE-2025-22457 as being exploited and is known to be used in ransomware campaigns.
Technical details
The vulnerability is a stack-based buffer overflow caused by improper input validation and handling in network-facing components of Ivanti's VPN and zero-trust gateway solutions. The affected code does not properly validate the length of user-supplied input before copying it to a fixed-size stack buffer, allowing an attacker to overflow the buffer and overwrite the stack frame return address with arbitrary values.
The vulnerability is classified as CWE-674 (Uncontrolled Recursion) , CWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) andCWE-121 (Stack-based Buffer Overflow) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with the privileges of the vulnerable service (typically root or SYSTEM level on gateway appliances). This could result in complete compromise of the VPN/ZTA gateway, theft of sensitive data including VPN credentials and traffic, modification of gateway configuration, deployment of persistent backdoors, lateral movement into protected networks, and denial of service.
Mitigation and workarounds
Upgrade to the patched versions immediately. Detailed upgrade procedures are available in Ivanti's security advisory documentation. For Connect Secure and Policy Secure, apply the 22.7R2.6 and 22.7R1.4 patches respectively. For ZTA Gateways, update to 22.8R2.2 or later. The following versions include the necessary fixes: Ivanti Connect Secure 22.7R2.6 or later, Ivanti Policy Secure 22.7R1.4 or later, Ivanti ZTA Gateways 22.8R2.2 or later.
As temporary workarounds: implement network segmentation and restrict access to the vpn/zta gateway to trusted ip ranges only, using firewall rules or security groups to limit exposure.; deploy the vulnerable systems behind a web application firewall (waf) or intrusion prevention system (ips) configured with rules to detect and block buffer overflow attack patterns., and disable unnecessary network services and features on the ivanti appliance if not required for business operations..
CISA's recommendation: Apply mitigations as set forth in the CISA instructions linked below.
Additional resources
Source: This report was generated using AI
