DIVD-2025-00010 - Stack-based buffer overflow in Ivanti Connect Secure
| Our reference | DIVD-2025-00010 |
| Case lead | Stan Plasmeijer |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update to Ivanti Connect Secure version 22.7R2.6 or later. |
| Patch status | Fully patched, for supported versions |
| Workaround | There is no known effective workaround. Updating is strongly recommended. |
| Status | Open |
| Last modified | 04 Apr 2025 22:37 CEST |
Summary
Ivanti Connect Secure is an SSL VPN solution. A critical stack-based buffer overflow (CVE-2025-22457) in versions up to 22.7R2.5 can be exploited by unauthenticated remote attackers via a custom HTTP header (default: X-Forwarded-For).
Although initially categorized as non-exploitable due to input restrictions (0-9 and . only), further investigation and real-world exploitation have shown that remote code execution is possible. The issue was patched in version 22.7R2.6, released on February 11, 2025.
Ivanti has confirmed that limited exploitation has occurred in the wild against vulnerable Ivanti Connect Secure and legacy Pulse Connect Secure instances.
Recommendations
Update to Ivanti Connect Secure version 22.7R2.6 or later immediately. This update was released in February 2025 and resolves the vulnerability.
Pulse Connect Secure 9.x is no longer supported and will not receive a patch. Organizations should immediately decommission or replace these systems to prevent potential exploitation.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Ivanti Connect Secure and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 04 Apr 2025 | DIVD starts researching the vulnerability. |
| 04 Apr 2025 | DIVD finds fingerprint, preparing to scan. |
| 04 Apr 2025 | Case opened and starting first scan. |
| 04 Apr 2025 | DIVD starts notifying network owners with a vulnerable devices in their network. |