Ivanti Zero-Day CVE-2025-22457 Exploit Details Released

Researchers at Rapid7 published technical details and proof-of-concept exploit code for a critical zero-day vulnerability in Ivanti Connect Secure, tracked as CVE-2025-22457. This flaw, rooted in a stack-based buffer overflow, is now confirmed to be actively exploited in the wild by a China-linked cyber-espionage group known as UNC5221.

The vulnerability resides in the HTTP(S) web server component of Ivanti’s Connect Secure VPN appliances, specifically in the /home/bin/web binary. The flaw originates from how the server processes HTTP headers—particularly the X-Forwarded-For header.

“An attacker may supply an X-Forwarded-For header value with a length greater than 50 characters and overflow the buff50 buffer on the stack,” explains Rapid7’s analysis.

The processing function does a superficial check using strspn to limit characters to digits and periods (0123456789.), but no bounds checking is done before copying into a 50-byte stack buffer using strlcpy. This oversight opens the door to stack smashing—even with a restricted character set.

Ivanti initially underestimated the risk, classifying the bug as a non-exploitable product issue. “It was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service,” the company stated.

However, Rapid7’s proof-of-concept shows otherwise. With sophisticated memory manipulation techniques, attackers can hijack the control flow—even under the constraints imposed by the input filter. Worse still, no authentication is required, and no user interaction is needed. This makes it a dream exploit for remote attackers.

Mandiant and Google’s Threat Intelligence Group have confirmed exploitation of CVE-2025-22457 by a Chinese-nexus espionage actor, which has been leveraging the flaw since mid-March 2025.

CVE-2025-22457 affects a wide range of Ivanti products:

• Ivanti Connect Secure versions 22.7R2.5 and earlier
• Pulse Connect Secure 9.1R18.9 and earlier (now end-of-support)
• Ivanti Policy Secure 22.7R1.3 and earlier
• Ivanti Neurons for ZTA Gateways 22.8R2 and earlier

Fixes have been staggered:

• Ivanti Connect Secure: Patched in 22.7R2.6 (released February 2025)
• Policy Secure: Patch expected April 21
• ZTA Gateways: Patch scheduled April 19

In addition, Ivanti recommends:

• Monitoring the Integrity Checker Tool (ICT) for signs of compromise
• Watching for web server crashes
• Performing a factory reset if compromise is detected before restoring the appliance with the patched software version

The security research community now has access to a public proof-of-concept exploit, available on GitHub. While this promotes transparency and helps defenders test and secure their infrastructure, it also significantly lowers the bar for threat actors to exploit this flaw at scale.

Related Posts:

• CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
• China-Linked Phishing Campaign Exploits Geopolitical Tensions, Ravages Asian Finance Sector
• China-Backed Hackers Escalate Cyber Campaigns, Targeting Operational Technology
• Linux Kernel Vulnerability Exposes Local Systems to Privilege Escalation, PoC Published
• Buffer Overflows Vulnerabilities: CISA & FBI Issue Urgent Warning

About The Author