- 74/2025
- Critical
Ivanti has released security updates to address a critical vulnerability affecting multiple Ivanti products.
The vulnerability could allow the remote unauthenticated attacker to execute arbitrary code through a stack-based buffer overflow and gain access to the affected product.
Ivanti Connect Secure, Policy Secure, and ZTA Gateways Remote Code Execution Vulnerability (CVE-2025-22457):
- CVSS: 9
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
The affected products:
- Ivanti Connect Secure version 22.7R2.5 and earlier.
- Ivanti Pulse Connect Secure version 9.1x, end-of-support as of Dec 31, 2024.
- Ivanti Policy Secure (IPS) 22.7R1.3 and prior.
- Ivanti ZTA Gateways 22.8R2 and prior.
It should be highlighted that Ivanti is aware that the zero-day vulnerability “CVE-2025-22457” is being exploited in the wild.
Vulnerabilities
CVE-2025-22457
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.