4 min read
By: RedLegg's Cyber Threat Intelligence Team
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES:
Critical Vulnerability affecting Ivanti Connect Secure, Policy Secure & ZTA Gateways
CVSS Score: 9.0 (Critical)
Identifier: CVE-2025-22457
Exploit or Proof of Concept (PoC): Yes, active exploitation of this vulnerability has been observed in the wild.
Update: CVE-2025-22457 – Ivanti Security Advisory
Description: CVE-2025-22457 is a critical stack-based buffer overflow vulnerability affecting multiple Ivanti products, including Ivanti Connect Secure (ICS) VPN appliances, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateways. An unauthenticated remote attacker can exploit this flaw to execute arbitrary code on the affected system, potentially leading to full system compromise. Notably, the threat actor group UNC5221, suspected to have ties to China, has been observed exploiting this vulnerability to deploy malware families such as TRAILBLAZE and BRUSHFIRE.
Mitigation Recommendation: Administrators are strongly advised to upgrade to the latest versions of the affected products to mitigate this vulnerability. Specifically, Ivanti Connect Secure users should upgrade to version 22.7R2.6. For Pulse Connect Secure 9.1x, which has reached end-of-support, migrating to a supported solution is recommended. Patches for Ivanti Policy Secure and ZTA Gateways are scheduled for release on April 21 and April 19, respectively. Organizations should also monitor their systems for signs of compromise, including the presence of TRAILBLAZE and BRUSHFIRE malware.
Note: Given the active exploitation of this vulnerability and its critical nature, immediate action is essential to protect affected systems from potential compromise.
