Post

Critical Ivanti Security Updates: Addressing CVE-2025-22457 Vulnerability in Connect Secure, Policy Secure & ZTA Gateways

Discover the latest Ivanti security updates addressing CVE-2025-22457 in Connect Secure, Policy Secure, and ZTA Gateways. Learn about threat mitigation strategies and expert guidance.

Critical Ivanti Security Updates: Addressing CVE-2025-22457 Vulnerability in Connect Secure, Policy Secure & ZTA Gateways

TL;DR

Ivanti has released critical security updates to address the CVE-2025-22457 vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. This vulnerability, if exploited, could allow cyber threat actors to take control of affected systems. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog. Users and administrators are urged to take immediate action, including threat hunting, applying patches, and monitoring authentication services.

Introduction

Ivanti has recently issued security updates to mitigate vulnerabilities identified as CVE-2025-22457 in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. These updates are crucial as cyber threat actors could exploit this vulnerability to gain control over compromised systems. The Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-22457 in its Known Exploited Vulnerabilities Catalog, underscoring the severity of the issue1.

Vulnerability Overview

The vulnerability CVE-2025-22457 affects multiple Ivanti products, including:

  • Ivanti Connect Secure
  • Ivanti Policy Secure
  • ZTA Gateways

If left unpatched, these systems are at risk of being compromised by malicious actors, potentially leading to unauthorized access and data breaches.

CISA Guidance

CISA strongly advises users and administrators to implement specific actions for any instances of Ivanti Connect Secure that were not updated by February 28, 2025, to the latest Ivanti patch (22.7R2.6). This guidance also extends to all instances of Pulse Connect Secure (EoS), Policy Secure, and ZTA Gateways.

Mitigation Steps

Threat Hunting Actions

  1. Run an External Integrity Checker Tool (ICT): Follow Ivanti’s instructions for guidance.
  2. Conduct Threat Hunting: Perform threat hunting on systems connected to or recently connected to the affected Ivanti device.

If No Compromise is Detected

  1. Factory Reset: For the highest level of confidence, conduct a factory reset. For Cloud and Virtual systems, use an external known clean image of the device.
  2. Apply the Patch: Implement the patch described in the Security Advisory. Note that patches for Ivanti ZTA Gateways and Ivanti Policy Secure will be available on April 19 and 21, respectively. Consider disconnecting vulnerable devices until patches are available.
  3. Monitor Services: Keep an eye on authentication or identity management services that could be exposed.
  4. Audit Privilege Levels: Continue to audit privilege level access accounts.

If Compromise is Detected

  1. Isolate Affected Instances: For devices confirmed to be compromised, isolate them from the network until the following guidance is completed and patches are applied.
  2. Forensic Image: Take a forensic image (including memory capture) or work with Ivanti to obtain a copy of the image.
  3. Disconnect Compromised Instances: Ensure all compromised instances are disconnected.
  4. Factory Reset: For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
  5. Revoke and Reissue Certificates: Reset admin enable passwords, stored API keys, and passwords of any local user defined on the gateway, including service accounts used for auth server configuration(s).
  6. Reset Domain Accounts: If domain accounts associated with the affected products have been compromised, reset passwords twice for on-premise accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments. For cloud-joined/registered devices, disable devices in the cloud to revoke the device tokens.
  7. Apply the Patch: Implement the patch described in the Security Advisory.
  8. Report to CISA and Ivanti: Immediately report any incidents to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.

Additional Resources

For further insights, check:

  • [April Security Update Ivanti](https://www.ivanti.com/blog/security-update-pulse-connect-secure-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways)
  • [Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) Google Cloud Blog](https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability)

Disclaimer

The information in this report is provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Conclusion

The recent Ivanti security updates addressing CVE-2025-22457 are critical for maintaining the security of Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Users and administrators are urged to follow the mitigation steps outlined by CISA to protect their systems from potential exploitation. Staying vigilant and proactive in applying these updates is essential for safeguarding against cyber threats.

References

  1. Article Title”. CISA. Retrieved 2025-04-04. ↩︎

This post is licensed under CC BY 4.0 by the author.