CVE-2025-22457
Published: 03 April 2025
Summary
CVE-2025-22457 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).
Deeper analysis
A stack-based buffer overflow vulnerability, tracked as CVE-2025-22457 and also associated with CWE-121 and CWE-787, affects Ivanti Connect Secure prior to version 22.7R2.6, Ivanti Policy Secure prior to 22.7R1.4, and Ivanti ZTA Gateways prior to 22.8R2.2. The flaw carries a CVSS 3.1 score of 9.0 and permits remote code execution when triggered.
A remote unauthenticated attacker can exploit the issue over the network without requiring credentials or user interaction, although the attack complexity is rated high. Successful exploitation yields remote code execution with high impact to confidentiality, integrity, and availability, and the vulnerability changes scope to affect components beyond the vulnerable product itself.
Ivanti's April security advisory details the affected products and fixed releases, while CISA's Known Exploited Vulnerabilities catalog entry confirms the need for prompt remediation through patching to the specified versions.
The vulnerability appears in CISA's catalog of actively exploited issues, and its EPSS score reached a peak of 0.7353, indicating notable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9646
Vulnerability details
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.
- CWE(s)
- KEV Date Added
- 04 April 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches (22.7R2.6 / 22.7R1.4 / 22.8R2.2) that eliminate the stack buffer overflow before unauthenticated RCE can occur.
Mandates memory-protection mechanisms (ASLR, DEP, stack canaries) that raise the bar for reliable exploitation of the CWE-121/CWE-787 flaw even if the unpatched service is reachable.
Requires continuous monitoring and anomaly detection that can identify the unusual network traffic or process behavior indicative of attempted or successful RCE against the Ivanti gateways.