Skip to the content.

DIVD-2025-00010 - Stack-based buffer overflow in Ivanti Connect Secure

Our reference DIVD-2025-00010
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Products
  • Ivanti Connect Secure
Versions
  • Up to version 22.7R2.5
Recommendation Update to Ivanti Connect Secure version 22.7R2.6 or later.
Patch status Fully patched, for supported versions
Workaround There is no known effective workaround. Updating is strongly recommended.
Status Open
Last modified 04 Apr 2025 22:08 CEST

Summary

Ivanti Connect Secure is an SSL VPN solution. A critical stack-based buffer overflow (CVE-2025-22457) in versions up to 22.7R2.5 can be exploited by unauthenticated remote attackers via a custom HTTP header (default: X-Forwarded-For).

Although initially categorized as non-exploitable due to input restrictions (0-9 and . only), further investigation and real-world exploitation have shown that remote code execution is possible. The issue was patched in version 22.7R2.6, released on February 11, 2025.

Ivanti has confirmed that limited exploitation has occurred in the wild against vulnerable Ivanti Connect Secure and legacy Pulse Connect Secure instances.

Recommendations

Update to Ivanti Connect Secure version 22.7R2.6 or later immediately. This update was released in February 2025 and resolves the vulnerability.

Pulse Connect Secure 9.x is no longer supported and will not receive a patch. Organizations should immediately decommission or replace these systems to prevent potential exploitation.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Ivanti Connect Secure and to notify these parties.

Timeline

Date Description
04 Apr 2025 DIVD starts researching the vulnerability.
04 Apr 2025 DIVD finds fingerprint, preparing to scan.
04 Apr 2025 Case opened and starting first scan.
gantt title DIVD-2025-00010 - Stack-based buffer overflow in Ivanti Connect Secure dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00010 - Stack-based buffer overflow in Ivanti Connect Secure (still open) :2025-04-04, 2025-04-11 section Events DIVD starts researching the vulnerability. : milestone, 2025-04-04, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2025-04-04, 0d Case opened and starting first scan. : milestone, 2025-04-04, 0d

More information