Ivanti has issued an pressing safety advisory for CVE-2025-22457, a vital vulnerability impacting Ivanti Join Safe, Pulse Join Safe, Ivanti Coverage Safe, and ZTA Gateways.
Rated at a CVSS rating of 9.0, this stack-based buffer overflow has been actively exploited since mid-March 2025, posing a extreme threat to organizations utilizing these VPN and entry options.
Lively Exploitation
Disclosed on April 3, 2025, the vulnerability has been exploited since mid-March, in keeping with Mandiant.
The assaults are linked to UNC5221, a suspected Chinese language state-sponsored group identified for focusing on edge gadgets, together with previous Ivanti zero-days like CVE-2023-46805. UNC5221 deploys malware reminiscent of Trailblaze (an in-memory dropper), Brushfire (a backdoor), and the Spawn suite for credential theft and community traversal.
In addition they use instruments like SPAWNSLOTH to control logs, evading detection.
The flaw was patched in Ivanti Join Safe model 22.7R2.6 on February 11, 2025, initially assessed as a low-risk denial-of-service concern attributable to its restricted character set (intervals and numbers).
Nevertheless, UNC5221 probably reverse-engineered the patch, crafting an RCE exploit for unpatched methods, which elevated its severity.
Vulnerability Particulars
CVE-2025-22457 is a stack-based buffer overflow (CWE-121) that allows a distant, unauthenticated attacker to execute arbitrary code (RCE).
The flaw happens attributable to insufficient enter validation, permitting attackers to overflow the buffer and run malicious code.
“This advisory has been up to date to make it clear the vulnerability was totally patched in Ivanti Join Safe (launched February 11, 2025)”, Ivanti stated.
Ivanti studies {that a} small variety of prospects utilizing Ivanti Join Safe (22.7R2.5 or earlier) and Pulse Join Safe 9.1x home equipment have been compromised. The remediation particulars are:
- Ivanti Join Safe: Improve to model 22.7R2.6, accessible at Ivanti Portal. If compromised, carry out a manufacturing unit reset and redeploy with 22.7R2.6.
- Pulse Join Safe: As an unsupported product, prospects should contact Ivanti emigrate to a safe platform.
- Ivanti Coverage Safe: A patch (model 22.7R1.4) will likely be launched on April 21, 2025. No exploitation has been reported, and threat is decrease because it’s not internet-facing.
- ZTA Gateways: A patch (model 22.8R2.2) will auto-apply on April 19, 2025. Threat exists just for unconnected gateways; no exploitation has been noticed.
Detection and Response
Ivanti advises utilizing the Integrity Checker Instrument (ICT) to detect compromise, reminiscent of internet server crashes. If detected, a manufacturing unit reset and improve to 22.7R2.6 are advisable. Mandiant’s weblog provides additional indicators of compromise. An X submit by
@nekono_naha revealed that 66% of 12,471 uncovered Ivanti/Pulse Join Safe servers (8,246) are susceptible, with 50% (6,049) on pre-9.x variations, emphasizing the necessity for fast motion.
This marks Ivanti’s fifteenth entry in CISA’s Recognized Exploited Vulnerabilities catalog since 2024, highlighting ongoing safety points with its edge gadgets.
UNC5221’s involvement factors to broader geopolitical issues, as China-linked actors goal infrastructure for espionage.
The delayed disclosure regardless of the February patch reveals vulnerability administration gaps. Initially underestimated, the flaw’s exploitability gave attackers a month-long window, underscoring the necessity for quicker risk intelligence sharing.
The lively exploitation of CVE-2025-22457 underscores the persistent threats to edge gadgets.
As teams like UNC5221 exploit such flaws, organizations should prioritize patching and safe configurations.
Ivanti’s response mitigates dangers for supported methods, however unsupported platforms stay a problem, highlighting the necessity for proactive cybersecurity measures in a quickly evolving risk panorama.
Discover this Information Attention-grabbing! Comply with us on Google Information, LinkedIn, & X to Get Immediate Updates!
