Critical Vulnerability in Ivanti VPN Products (CVE-2025-22457)

Executive Summary

On April 3^rd, Ivanti released an advisory for a critical vulnerability in their VPN and network access control products Connect Secure, Policy Secure, and ZTA Gateways. Successfully exploiting the vulnerability would enable an unauthenticated threat actor to achieve remote code execution (RCE) on a target device. This family of products are, by design, deployed on customer networks as internet facing, so this vulnerability can provide threat actors initial access to organization networks.

The software bug causing this vulnerability was identified and fixed by Ivanti in February and was initially categorized as a benign product bug. However, in mid-March, security firm Mandiant observed the vulnerability being successfully exploited by a threat actor to take control of a target Ivanti system. They presumably coordinated with Ivanti to verify their findings, as their analysis was published on the same day as Ivanti’s security advisory.

Given that this vulnerability is currently in use by malicious threat actors, Beazley Security recommends affected organizations update their systems to the currently available versions as soon as possible.

Affected Systems and Products

Product	Affected	Unaffected
Ivanti Connect Secure	22.7R2.5 and prior	22.7R2.6 (Released February 2025)
Pulse Connect Secure (EoS)	9.1R18.9 and prior	22.7R2.6
Ivanti Policy Secure	22.7R1.3 and prior	22.7R1.4
ZTA Gateways	22.8R2 and prior	22.8R2.2

Mitigations / Workarounds

This vulnerability was identified and fixed in February, so Ivanti’s primary recommendation is to stay up to date on supported versions.

Ivanti customers can also decrease their risk from vulnerabilities in general by following their set of product-specific, recommended Security Configuration Best Practices.

Patches

Ivanti software updates are available, and clients may use the Ivanti Customer Support Center to find the current release for their product.

Customers also have access to Ivanti’s Success Portal for assistance.

Technical Details

Detailed analysis of the vulnerability has not been published, and there are no known public proof-of-concept (PoC) samples available. However, Mandiant’s advisory does describe some of the threat actor indicators they observed. This threat actor appears to have deep knowledge of Ivanti environments, as the TRAILBLAZE, BRUSHFIRE, and SPAWN malware deployed have components specifically written for Ivanti devices. The Mandiant advisory found here details the specific IOCs, but in general, this was the activity seen:

Core dumps related to the web process
Anomalous client TLS certificates presented to the device
Suspicious files written to the /tmp/ directory
Suspicious files written to the /bin/ and /lib/ directories

Ivanti additionally provides an external Integrity Checker Tool (ICT) to check configurations and files on their devices for signs of tampering. You can find more information on that tool here.

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team