A critical vulnerability, identified as CVE-2025-22457, has been discovered in Ivanti Connect Secure (ICS) VPN appliances. This flaw is actively exploited in the wild, allowing attackers to execute arbitrary code remotely. Review the details within this Cybersecurity Threat Advisory to mitigate potential security breaches.
What is the threat?
CVE-2025-22457 is a buffer overflow vulnerability affecting ICS versions 9.X and prior, as well as, 22.7R2.5 and prior. It enables unauthenticated remote code execution (RCE), granting attackers control over compromised devices. The vulnerability was patched in February 2025 with the release of version 22.7R2.6. However, exploitation was observed around mid-March, indicating that attackers analyzed the patch to develop exploits for unpatched systems.
Why is it noteworthy?
This vulnerability is particularly concerning because active exploitation occurred shortly after the patch was released. It allows for RCE without authentication, significantly increasing the potential for widespread compromise. The deployment of custom malware targeting these appliances further highlights the sophistication and persistence behind the exploitation activity. Organizations with exposed Ivanti Connect Secure appliances are especially at risk if patches are not applied promptly. I
What is the exposure or risk?
Organizations using vulnerable versions of ICS are at significant risk of unauthorized access, data exfiltration, and further network compromise. Successful exploitation can lead to malware deployment, lateral movement within the network, and potential disruption of critical services.
What are the recommendations?
Barracuda recommends the following actions to secure your environment against this threat:
- Upgrade to the latest supported software version immediately to mitigate the vulnerability.
- Implement continuous monitoring to detect unusual activity indicative of exploitation attempts or successful breaches.
- Ensure that access controls are stringent and limit exposure of ICS appliances to the internet where possible.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/04/critical-ivanti-flaw-actively-exploited.html
- https://www.rapid7.com/blog/post/2025/04/03/etr-ivanti-connect-secure-cve-2025-22457-exploited-in-the-wild/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
