overview

CVE-2025-22457 is a critical stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and Neurons for ZTA gateways. This flaw enables unauthenticated remote attackers to execute arbitrary code, allowing full system compromise. It stems from improper input validation within the stack, rendering targeted systems vulnerable.

Potential Impact:
Exploitation of CVE-2025-22457 can lead to Remote Code Execution (RCE). Attackers can install malware, tamper with logs, steal sensitive data, or disrupt services. The risk is particularly severe for organizations relying on these products for secure connectivity.

Exploitation Details:
Attackers exploit this vulnerability via specially crafted requests to trigger a stack overflow. Once exploited, malicious payloads, such as TRAILBLAZE and BRUSHFIRE malware, can be deployed, coupled with log-tampering utilities like SPAWNSLOTH for obfuscation.

 

Affected Products and Versions:

Product

Affected Versions

Patched Versions

Ivanti Connect Secure (ICS)

22.7R2.5 and older

22.7R2.6 (Released Feb 11, 2025)

Pulse Connect Secure (PCS)

9.1x (End-of-Support)

Migration required

Ivanti Policy Secure (IPS)

22.7R1.3 and older

22.7R1.4 (Release: Apr 21, 2025)

Neurons for ZTA Gateways

22.8R2 and older

22.8R2.2 (Release: Apr 19, 2025)

 

Current Threat Status:
This vulnerability has been actively exploited by the Chinese APT group UNC5221 since mid-March 2025, targeting organizations in the U.S., Europe, and Taiwan. Attackers deploy sophisticated obfuscation techniques, leveraging compromised devices such as network appliances to mask attack origins.

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

File Hashes

  • Malware families like TRAILBLAZE (no detailed hash provided) and BRUSHFIRE demonstrate in-memory execution without leaving disk artifacts.
  • Additional artifacts:
    • SPAWNSLOTH: Log tampering utility.
    • SPAWNSNARE: Encryption tool for Linux kernel images.
    • SPAWNWAVE: Multi-functional successor from SPAWN malware.

Utilities and Tools

  • Attackers modify Ivanti’s Integrity Checker Tool (ICT) for obfuscation purposes.

TTPs (Tactics, Techniques, and Procedures)

  • Use of compromised devices (e.g., QNAP NAS, ASUS routers) for masking intrusion sources.
  • Targeted exploitation using buffer overflow for RCE.

Actor Attribution

  • UNC5221, a China-attributed espionage group, specializes in exploiting edge devices using custom malware.

 

MITRE ATT&CK AND TTPs

Initial Access

  • T1190 - Exploit Public-Facing Application: Exploit buffer overflow for unauthenticated access.

Execution

  • T1203 - Exploitation for Client Execution: Arbitrary code execution via stack overflow.
  • T1059 - Command and Scripting Interpreter: Use of scripts to execute additional payloads.

Persistence

  • T1547 - Boot or Logon Autostart Execution: Modify startup processes for persistence.

Privilege Escalation

  • T1068 - Exploitation for Privilege Escalation: Escalate privileges to root/system level post-exploitation.

Defense Evasion

  • T1112 - Modify Registry: Tamper with configurations to evade detection.

Credential Access

  • T1555 - Credentials from Password Stores: Extract sensitive credentials for lateral movement.

Discovery

  • T1082 - System Information Discovery: Collect system information for further exploitation.
  • T1046 - Network Service Scanning: Identify exploitable services for lateral movement.

Lateral Movement

  • T1021 - Remote Services: Use compromised credentials to access additional systems.

Exfiltration

  • T1041 - Exfiltration Over C2 Channel: Extract sensitive data stealthily for espionage.

Impact

  • T1486 - Data Encrypted for Impact: Deploy encryption malware to disrupt operations.

 

 

additional Recommendations + information

  1. Immediate Actions
  • Restrict Access: Limit network exposure of Ivanti systems to trusted sources only.
  • Patch Systems: Apply patches for:
    • Ivanti Connect Secure (22.7R2.6 or newer).
    • Ivanti Policy Secure and ZTA Gateways (available April 2025).
  • Reset Credentials: Revoke and reset administrative credentials immediately.
  1. Monitoring and Incident Response
  • Inspect ICT logs for anomalies.
  • Utilize factory resets for any compromised devices.
  • Enable robust logging and monitoring for detection of malicious activity.
  1. Network Security
  • IDS/IPS Deployment: Configure systems to detect buffer-overflow related exploits.
  • IoC Scanning: Regularly audit systems for TRAILBLAZESPAWN, and related malware.

 

 

ADDITIONAL SERVICE OFFERINGS

Organizations can leverage Avertium’s cybersecurity services to address the risks posed by CVE-2025-1974:

Threat Detection & Response (TDR)

  • Optimizes SIEM systems and integrates XDR for real-time threat detection and remediation.

Attack Surface Management

  • Evaluates organizational exposure to vulnerabilities in Ivanti products.

Governance, Risk, and Compliance (GRC)

  • Ensures adherence to best practices (e.g., NIST, ISO) for vulnerability management.

Incident Response Services

  • Provides forensic investigation and immediate containment in case of exploitation.

Security Operations Center (SOC)

  • Offers round-the-clock monitoring for IoCs and malicious behavior.

By leveraging these measures and services, organizations can effectively mitigate the risks of CVE-2025-22457 and bolster their cybersecurity resilience.



 

 

SUPPORTING DOCUMENTATION

 
Chat With One of Our Experts



remote code execution RCE Remote Code Execution (RCE) vulnerabilities Remote Code Execution vulnerabilities Flash Notice Critical Vulnerability Ivanti Buffer Overflow Vulnerability Blog