Clement Brako Akomea Table of Contents
A newly revealed exploited Ivanti VPN vulnerability is putting over 5,000 internet-facing devices at serious risk, with evidence pointing to an active campaign by a sophisticated Chinese threat group.
Despite a patch released in February, the flaw, tracked as CVE-2025-22457, continues to be exploited in the wild, raising alarms across the cybersecurity community.
According to the April Security Advisory, the exploited Ivanti VPN vulnerability lies in a critical buffer overflow bug in Connect Secure and Pulse Connect Secure appliances.
Attackers are using it to run remote code on targeted systems without authentication—potentially giving them full access.
If you rely on Ivanti VPN solutions, you must take this threat seriously. Here’s what we know and what you can do.
Key Takeaway to Exploited Ivanti VPN vulnerability:
- Exploited Ivanti VPN vulnerability: Over 5,000 unpatched Ivanti VPN appliances are exposed to an active, exploited vulnerability being used by hackers to gain unauthorized system access.
What’s Happening With the Exploited Ivanti VPN Vulnerability?
More than 5,000 Ivanti Connect Secure appliances are still online and unpatched as of April 6, 2025.
The exploited Ivanti VPN vulnerability has been confirmed to be under active attack, primarily by a China-linked hacking group known as UNC5221.
This bug, tagged CVE-2025-22457 with a CVSS score of 9.0 (Critical), is a stack-based buffer overflow vulnerability.
It lets unauthenticated users remotely execute malicious code. Ivanti released a patch back in February, but the flaw was initially misclassified as a product bug, delaying an official disclosure.
Who’s Behind the Exploits?
Mandiant, a trusted cybersecurity firm, linked the exploitation to UNC5221, a known Chinese state-sponsored group.
They began exploiting the vulnerability in mid-March 2025, using advanced techniques to drop in-memory malware and install hidden backdoors.
This isn’t new. Back in 2021, Pulse Secure VPNs were compromised in a similar attack by suspected Chinese actors. You can read about that incident here.
Affected Products and Patch Status
Below is a breakdown of what products are impacted and the status of patches:
| Product Name | Affected Versions | Patch Available | Patch Version |
|---|---|---|---|
| Ivanti Connect Secure | 22.7R2.5 and earlier | Yes | 22.7R2.6 |
| Pulse Connect Secure (EoS) | 9.x (End of Support) | No | Must migrate |
| Ivanti Policy Secure | 22.7R1.3 and earlier | Yes (April 21) | 22.7R1.4 |
| ZTA Gateways | 22.8R2 and earlier | Yes (April 19) | 22.8R2.2 |
Important Note: Pulse Connect Secure 9.x is no longer supported as of Dec. 31, 2024. If you’re still using it, Ivanti recommends migrating immediately.
Why This Matters (And What Could Happen)
The exploited Ivanti VPN vulnerability doesn’t just affect one company—it has global implications.
VPN appliances like Ivanti Connect Secure act as gateways to enterprise networks. If attackers breach them, they can access everything inside.
This kind of remote code execution has been used in the past to:
- Steal sensitive customer and employee data
- Deploy ransomware across corporate networks
- Pivot into other systems and elevate privileges
Just look at the 2023 MOVEit Transfer incident, where hackers exploited a similar vulnerability and caused widespread breaches. Details of that incident can be found here.
Why So Many Devices Are Still Vulnerable
Even though patches are out, 5,113 vulnerable appliances are still visible online. Here’s why:
- Many businesses aren’t aware the issue exists
- The flaw was initially downplayed as non-critical
- End-of-support systems like Pulse Secure 9.x don’t receive updates
- IT teams are overwhelmed due to staffing shortages
This makes it the perfect storm for attackers to take advantage.
What Should You Do Now?
If you’re using an Ivanti VPN, here’s your checklist:
✅ Check your version:
- If using Connect Secure, update to 22.7R2.6
- If using Policy Secure, wait for 22.7R1.4 on April 21
- If on ZTA Gateways, auto-update happens on April 19
- If using Pulse Secure 9.x; stop now and migrate
✅ Run an Integrity Checker Tool (ICT):
Look for unusual activity like web server crashes or memory injection.
✅ Reset if Compromised:
If the ICT finds signs of compromise, perform a factory reset before installing the latest patch.
✅ Get Support:
Reach out to Ivanti Support if you need help applying updates.
✅ Stay Updated:
Join cybersecurity mailing lists and forums like Shadowserver to stay informed.
About Ivanti
Ivanti is a cybersecurity and IT service management company that builds solutions for secure access, endpoint security, and device management.
Its VPN products, like Connect Secure and Policy Secure, are used by governments and Fortune 500 companies worldwide.
Rounding Up
This exploited Ivanti VPN vulnerability is a textbook example of how delayed disclosure and unpatched systems can escalate risk across the globe. If you rely on Ivanti appliances, please act immediately. Cyber threats are evolving fast, and today’s negligence can become tomorrow’s crisis.
Looking forward, attackers will likely continue targeting edge appliances and unmaintained infrastructure. As generative AI enhances both attack and defense techniques, staying ahead of the curve with patches and vigilance is no longer optional; it’s essential.
FAQs
1. What is CVE-2025-22457?
- A critical buffer overflow vulnerability in Ivanti VPN appliances
- Allows remote attackers to execute code without authentication
- Score of 9.0 on the CVSS scale
2. Has this Ivanti VPN vulnerability been exploited?
- Yes, confirmed by Mandiant and Ivanti
- Chinese threat group UNC5221 has been actively exploited since mid-March
- Targeting Connect Secure and Pulse Connect Secure
3. Is my device vulnerable?
- If using Ivanti Connect Secure version 22.7R2.5 or earlier, yes
- If using Pulse Secure 9.x (unsupported), definitely yes
- Run an Integrity Checker Tool to confirm
4. What should I do if I can’t patch right now?
- Disconnect the device from the internet
- Monitor logs and traffic
- Limit access and segment network zones
- Plan a migration to supported versions
5. Are Ivanti Policy Secure and ZTA Gateways safe?
- Currently, there’s no evidence of active exploitation
- Patches are scheduled: April 21 (Policy Secure), April 19 (ZTA)
- Keep devices off the internet until patched
6. Where can I get more technical help?
- Visit Ivanti Support Portal
- Review guidance from Mandiant’s blog
- Stay connected with updates via Shadowserver
