Ivanti VPNs at Risk
A critical vulnerability tracked as CVE-2025-22457 is actively being exploited by China-linked threat actors, putting over 5,000 Ivanti Connect Secure VPN instances at risk. The stack-based buffer overflow flaw, initially underestimated, enables remote code execution and has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its known exploited vulnerabilities catalog. Despite a patch released in February, many outdated systems—particularly Pulse Connect Secure 9.x, which reached end-of-support in December 2024—remain unprotected.
Shadowserver telemetry revealed that as of April 6, 5,113 vulnerable VPN instances were detected, with concentrations in the U.S., Japan, and China. That number has only slightly decreased, signaling slow remediation. Ivanti acknowledged that while Connect Secure devices are the primary targets, other products like Ivanti Policy Secure and ZTA Gateways may also be at risk under specific configurations. Patch releases are scheduled for those platforms later in April, but Ivanti strongly advises customers to migrate from unsupported versions to mitigate threats.
This incident underscores the high stakes of delayed patching and highlights how persistent vulnerabilities in VPN infrastructure can become prime targets for nation-state cyber-espionage. Mandiant’s discovery of remote code execution by suspected Chinese actors illustrates the importance of reassessing risk post-disclosure. As critical VPNs continue to serve as access points for remote workers and administrators, ensuring timely updates and proper segmentation is essential for reducing exposure.
Wright, Rob. 2025. “Over 5K Ivanti VPNs Vulnerable to Critical Bug Under Attack.” Cybersecurity Dive. Apr. 8.
READ: https://bit.ly/44kJvGy
