Post

CISA Adds Ivanti Connect Secure and Related Flaws to Known Exploited Vulnerabilities Catalog

Posted
By Tom Grant
3 min read
CISA Adds Ivanti Connect Secure and Related Flaws to Known Exploited Vulnerabilities Catalog

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2025-22457, allows for remote code execution and has been actively exploited by a China-linked threat actor since mid-March 2025.

Main Content

CISA Adds Critical Ivanti Vulnerability to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a critical Apache Tomcat path equivalence vulnerability, identified as CVE-2025-22457, in its Known Exploited Vulnerabilities (KEV) catalog1. This vulnerability is a stack-based buffer overflow that enables remote unauthenticated code execution.

Active Exploitation and Security Updates

Early this month, Ivanti released security updates to address the critical Connect Secure remote code execution vulnerability, also tracked as CVE-2025-22457. The vulnerability has been exploited by a China-linked threat actor since at least mid-March 2025. Cybersecurity experts at Mandiant and Google Threat Intelligence Group (GTIG) have linked the exploitation attempts to an alleged China-linked cyberespionage group known as UNC52212.

Affected Products and Mitigation

The flaw impacts the following Ivanti products:

  • Ivanti Connect Secure (version 22.7R2.5 and earlier)
  • Pulse Connect Secure 9.x (end-of-support as of December 31, 2024)
  • Ivanti Policy Secure
  • ZTA Gateways

Ivanti addressed the vulnerability with the release of Connect Secure 22.7R2.6 on February 11, 2025. The company has also announced plans to release security patches for ZTA and Policy Secure gateways on April 19 and 21, respectively.

Recommendations for Admins

Ivanti urges administrators to monitor the Integrity Checker Tool (ICT) for web server crashes and reset compromised devices before redeploying them with version 22.7R2.6. Admins should also closely monitor ICT logs and be prepared to reset compromised devices.

Threat Actor Activities

According to Google GTIG, the threat actor UNC5221 has exploited the flaw since March 2025 to deploy various malware, including TRAILBLAZE, BRUSHFIRE, and SPAWN3. The earliest evidence of CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, the deployment of two newly identified malware families, TRAILBLAZE and BRUSHFIRE, was observed, along with the SPAWN ecosystem of malware attributed to UNC5221.

CISA Directives and Federal Agency Compliance

In accordance with the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the specified due date to protect their networks against attacks exploiting the flaws in the catalog4. CISA has ordered federal agencies to fix this vulnerability by April 11, 2025.

Conclusion

The addition of CVE-2025-22457 to CISA’s KEV catalog underscores the urgent need for organizations to update their systems and implement robust security measures. By staying vigilant and proactive, both federal agencies and private organizations can mitigate the risks associated with this critical vulnerability.

Additional Resources

For further insights, check out the following authoritative sources:

References

  1. Author Name (if available) (Date). “U.S. Cybersecurity and Infrastructure Security Agency (CISA) (URL)”. U.S. Cybersecurity and Infrastructure Security Agency (CISA). Retrieved 2025-04-07. ↩︎

  2. Author Name (if available) (Date). “Ivanti did not disclose details about the attack, however cybersecurity experts at Mandiant and Google Threat Intelligence Group (GTIG) linked the exploration attempts to an alleged China-linked cyberespionage group tracked as ”(URL)”. Ivanti. Retrieved 2025-04-07. ↩︎

  3. Author Name (if available) (Date). “According to Google GTIG, threat actor UNC5221 exploited the flaw since March 2025 to deploy TRAILBLAZE and BRUSHFIRE malware, along with SPAWN malware”(URL)”. Google Threat Intelligence Group (GTIG). Retrieved 2025-04-07. ↩︎

  4. Author Name (if available) (Date). “In accordance with the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the specified due date to protect their networks against attacks exploiting the flaws in the catalog”(URL)”. CISA. Retrieved 2025-04-07. ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity vulnerability cisa
This post is licensed under CC BY 4.0 by the author.