Cyber Posture

CVE-2025-22467

Critical

Published: 11 February 2025

Published
11 February 2025
Modified
20 February 2025
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4798 97.7th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22467 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Ivanti Connect Secure. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the stack-based buffer overflow by requiring timely patching and updating Ivanti Connect Secure to version 22.7R2.6 or later as specified in the advisory.

SI-16 Memory Protection good match
prevent

Implements memory protections like stack canaries, ASLR, and DEP that prevent exploitation of stack-based buffer overflows to achieve remote code execution.

SI-10 Information Input Validation partial match
prevent

Requires validation of information inputs to the vulnerable software component, reducing the risk of malformed data triggering the buffer overflow.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Stack-based buffer overflow enabling RCE in public-facing Ivanti Connect Secure VPN application, exploitable remotely by low-privilege authenticated attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.

Deeper analysisAI

CVE-2025-22467 is a stack-based buffer overflow vulnerability, classified under CWE-121, affecting Ivanti Connect Secure versions prior to 22.7R2.6. Published on 2025-02-11, the flaw resides in the software component and enables remote code execution when exploited.

A remote authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with a scope change (S:C), resulting in remote code execution on the targeted system. The vulnerability carries a CVSS v3.1 base score of 9.9.

Ivanti's February Security Advisory addresses this CVE alongside others in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Secure Access Client, available at https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs. Mitigation requires upgrading to version 22.7R2.6 or later.

Details

CWE(s)
CWE-121

Affected Products

ivanti
connect secure
22.7 · ≤ 22.7

CVEs Like This One

CVE-2025-0283Same product: Ivanti Connect Secure
CVE-2025-0282Same product: Ivanti Connect Secure
CVE-2024-10644Same product: Ivanti Connect Secure
CVE-2025-55147Same product: Ivanti Connect Secure
CVE-2025-55142Same product: Ivanti Connect Secure
CVE-2025-55145Same product: Ivanti Connect Secure
CVE-2025-55141Same product: Ivanti Connect Secure
CVE-2024-35279Same product class: VPN / SSL gateway
CVE-2025-13659Same vendor: Ivanti
CVE-2025-26506Shared CWE-121

References