Ivanti have released information regarding active exploitation of a critical vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways (CVE-2025-22457).
ASD’s ACSC recommends customers follow the advice contained in Ivanti’s Security Advisory and assess their environments for malicious activity.
This Alert is relevant to Australian Organisations who utilise Ivanti products. This alert is intended to be understood by technical users.
What’s happened?
- Ivanti has released information regarding a critical unauthenticated buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure and Neurons for ZTA gateways (CVE-2025-22457)
- Ivanti has observed active exploitation associated with this vulnerability.
- Affected products include:
- Pulse Connect Secure 9.1.X
- Ivanti Connect Secure (version 22.7R2.5 and earlier)
- Ivanti Policy Secure
- Neurons for ZTA gateways
- Pulse Connect Secure 9.1X is end of support as of 31 December 2024.
Research from Mandiant also details the active exploitation with research coordinated with a Security Advisory from Ivanti that addresses this activity.
A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, therefore it was initially believed to be a low-risk, denial-of-service vulnerability.
Mandiant assessed it is likely that the threat actor, UNC5221, studied the February patch for the vulnerability in ICS 22.7R2.6 and realized – through a complicated process – that it was possible to exploit 22.7R2.5 and earlier versions to achieve remote code execution.
Mandiant and Ivanti have now confirmed that this vulnerability is being actively exploited in the wild against unpatched systems (n-day exploitation). Given the active exploitation, Mandiant and Ivanti are strongly urging all customers running vulnerable versions (ICS 22.7R2.5 and earlier) to apply the patch immediately.
Charles Carmakal, Mandiant Consulting CTO, elaborates on the behavior we’ve seen from this actor: “This latest activity from UNC5221 underscores the ongoing targeting of edge devices globally by China-nexus espionage groups. These actors will continue to research security vulnerabilities and develop custom malware for enterprise systems that don’t support EDR solutions. The velocity of cyber intrusion activity by China-nexus espionage actors continues to increase and these actors are better than ever.”
