A critical, unauthenticated remote code execution vulnerability (CVE-2025-22457) exists in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, allowing attackers to trigger a stack-based buffer overflow via crafted HTTP requests.
The Fix
The only effective remediation is to patch the affected Ivanti appliance. Client-side workarounds do not exist.
Primary Method: Patch to the Secure Version
1. Backup: In the admin console, navigate to System > Maintenance > Backup and create a full configuration backup.
2. Check Version: Go to System > About. You are vulnerable if running:
- Connect Secure versions before 22.7R2.6
- Policy Secure versions before 22.7R1.4
- ZTA Gateway versions before 22.8R2.2
3. Apply Patch: Download the correct firmware from the Ivanti support portal. In the admin console, go to System > Firmware Upgrade, upload the .sig file, and apply the update. The appliance will reboot.
If That Doesn't Work:
If you suspect a prior compromise, or if the Integrity Checker Tool (ICT) later flags issues, you must hunt for and remediate persistence.
1. Run the Integrity Checker Tool (ICT): After upgrading, run a full scan via System > Integrity Checker. Investigate any anomalies, particularly in /runtime/mtmp/lmdb or web directories like /home/webserver/htdocs/dana-na/css/.
2. Remediate Compromise: If ICT finds modified files:
- Follow Ivanti's guidance to quarantine or delete malicious files.
- Reset all local admin passwords under Authentication > Admin Users.
- Revoke and regenerate any API keys and certificates (System > Certificates).
- Consider a factory reset and restore from a clean backup if compromise is confirmed.
For Client-Side Monitoring Only:
While no client-side fix exists, you can monitor endpoints for post-exploitation activity. Use PowerShell to check for suspicious connections or processes related to your Ivanti gateway.
# Check for processes related to Ivanti/Pulse Secure clients
Get-Process | Where-Object {$_.ProcessName -like "Ivanti" -or $_.ProcessName -like "Pulse"} | Select-Object ProcessName, Id, Path
Monitor for network connections to your Ivanti appliance IP
$GatewayIP = "YOUR.IVANTI.IP.HERE"
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -eq $GatewayIP} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcessVerify
Patching alone is not sufficient. Verification requires multiple steps:
1. Confirm Firmware Version: Re-check System > About to ensure the appliance is now running the patched version (22.7R2.6, 22.7R1.4, or 22.8R2.2 and later).
2. Review ICT Results: A clean, post-patch ICT scan with no critical file violations is required. Schedule regular ICT scans.
3. Monitor Logs: Enable enhanced logging and monitor web server logs for exploitation attempts, such as abnormally long X-Forwarded-For headers. Correlate with IPS/IDS alerts for CVE-2025-22457.
4. Test Functionality: Verify that VPN and other gateway services are operational for end-users after the patch and any remediation steps.
The most common mistake is patching without running the ICT, leaving behind persistent backdoors. Always combine patching with integrity checks and credential rotation.
RainCity Techworks