Policy Secure, Ivanti Connect Secure, and ZTA Gateways Vulnerabilities Detected

A recent advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) indicates that a China-nexus threat actor is actively exploiting a vulnerability impacting Ivanti Connect Secure, Neurons for ZTA Gateways, Policy Secure, and Pulse Connect Secure.

Vulnerability CVE-2025-22457 is a stack-based buffer overflow vulnerability with a CVSS v3.1 base score of 9.0 (critical). An unauthenticated threat actor that successfully exploits the vulnerability can bring about remote code execution, enabling them to fully control an impacted system.

According to Mandiant, a threat actor monitored as UNC5221 exploited the vulnerability during attacks on old VPNs. After exploiting the vulnerability, the threat actor deployed malware and attempted to alter the Integrity Checker Tool to prevent discovery.

The vulnerability impacts the products listed below:

• Policy Secure and Neurons for ZTA gateways
• Pulse Connect Secure (version 9.1x – support ended on December 31, 2024)
• Ivanti Connect Secure (version 22.7R2.5 and prior versions)

Ivanti repaired the vulnerability in Ivanti Connect Secure 22.7R2.6 that was launched on February 11, 2025. No patch will be available for Pulse Connect Secure because the product has reached its end of life. Users still utilizing the legacy software must make sure they shift to Ivanti Connect Secure or another secure software.

Ivanti has cautioned clients that Policy Secure must not be accessible through the public internet, and when deployed based on Ivanti instructions, users will be less likely to be affected by the vulnerability. Ivanti has likewise instructed customers that the vulnerability is not exploited against Neurons concerning ZTA gateways if in production.

Ivanti knows some cases of clients experiencing vulnerability exploitation while operating Pulse Connect Secure 9.1x or Ivanti Connect Secure 22.7R2.5 (or prior versions). There are no identified cases of exploitation against Policy Secure and Neurons ZTA gateways.

Clients must perform threat-hunting activities to find out whether the vulnerability was exploited when they did not update to the safe version of Ivanti Connect Secure (22.7R2.6) by February 28, 2025. Threat hunting activity is recommended for all cases of Policy Secure, Pulse Connect Secure (EoS), and ZTA Gateways.

The proposed actions are to perform an external Integrity Checker Tool (ICT) and likewise perform threat-hunting actions on systems attached to the Ivanti devices. When proof of exploitation is identified, the impacted devices must be separated, a forensic photo must be taken, and breach instances must be disconnected. When no compromise is determined, CISA advises performing a factory reset to get the best level of confidence. The suggested steps are written in the CISA advisory.

After Ivanti’s Integrity Checker Tool (ICT) identified preliminary compromise, Ivanti immediately investigated, discovered the vulnerability, and announced it to clients, including HIPAA-covered entities. Furthermore, Ivanti worked with Mandiant to give more information to defenders. Notably, this vulnerability was resolved in ICS 22.7R2.6, published on February 11, 2025, and clients using supported versions on their devices and in compliance with the guidance given by Ivanti have a considerably lower risk. Clients using ICS 9.X (end of life) and 22.7R2.5 and prior versions are urged to update immediately and stick to the other steps specified in the Security Alert. Ivanti’s ICT succeeded in finding potential breaches on a few clients using ICS 9.X (end of life) and 22.7R2.5 and prior versions. While threat actors still target network security devices and legacy devices, Ivanti will continue to provide facts to make sure defenders can take the necessary steps to protect their environments.