CVE-2025-22457 : A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6,

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Published 2025-04-03 15:20:24

Updated 2025-05-03 01:00:02

Source ivanti

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2025-22457

Ivanti » Connect Secure
Versions up to, including, (<=) 22.7r2.5
cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure »
Versions before (<) 22.7
cpe:2.3:a:ivanti:connect_secure:*:-:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7
cpe:2.3:a:ivanti:connect_secure:22.7:-:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1
cpe:2.3:a:ivanti:connect_secure:22.7:r1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1.1
cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1.2
cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1.3
cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1.4
cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R1.5
cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2
cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2.1
cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2.2
cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2.3
cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2.4
cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*
Matching versions
Ivanti » Connect Secure » Version: 22.7 Update R2.5
cpe:2.3:a:ivanti:connect_secure:22.7:r2.5:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure »
Versions before (<) 22.7
cpe:2.3:a:ivanti:policy_secure:*:-:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure
Versions up to, including, (<=) 22.8r2
cpe:2.3:a:ivanti:policy_secure:*:*:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure » Version: 22.7
cpe:2.3:a:ivanti:policy_secure:22.7:-:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure » Version: 22.7 Update R1
cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure » Version: 22.7 Update R1.1
cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure » Version: 22.7 Update R1.2
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*
Matching versions
Ivanti » Policy Secure » Version: 22.7 Update R1.3
cpe:2.3:a:ivanti:policy_secure:22.7:r1.3:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.2 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.2:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: N/A
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:-:*:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.2 Update R4
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.2:r4:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.2 Update R5
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.2:r5:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.3 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.3:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.3 Update R4
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.3:r4:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.4 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.4:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.4 Update R3
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.4:r3:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.5 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.5:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.5 Update R1.2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.5:r1.2:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1.2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1.2:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1.3
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1.3:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1.2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1.2:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1.3
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1.3:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1.4
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1.4:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1.5
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1.5:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R2.2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.2:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R2.3
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r2.3:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1.5
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1.5:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1.6
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1.6:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.6 Update R1.7
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.6:r1.7:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.7 Update R1.6
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.7:r1.6:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.8 Update R1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.8:r1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.8 Update R1.1
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.8:r1.1:*:*:*:*:*:*
Matching versions
Ivanti » Neurons For Zero-trust Access » Version: 22.8 Update R2
cpe:2.3:a:ivanti:neurons_for_zero-trust_access:22.8:r2:*:*:*:*:*:*
Matching versions
Ivanti » Zero Trust Access
Versions up to, including, (<=) 22.8r2
cpe:2.3:a:ivanti:zero_trust_access:*:*:*:*:*:*:*:*
Matching versions

CVE-2025-22457 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

CISA required action:

Apply mitigations as set forth in the CISA instructions linked below.

CISA description:

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.

Notes:

CISA Mitigation Instructions: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-22457 ; Additional References: https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 ; https://nvd.nist.gov/vuln/detail/CVE-2025-22457

Added on 2025-04-04 Action due date 2025-04-11

Exploit prediction scoring system (EPSS) score for CVE-2025-22457

EPSS FAQ

12.22%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-22457

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.0	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	2.2	6.0	ivanti	2025-04-03
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST	2025-04-08
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2025-22457

CWE-121 Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Assigned by: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 (Secondary)
CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2025-22457

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457

Vendor Advisory