Researchers at Rapid7 published technical details and proof-of-concept exploit code for a critical zero-day vulnerability in Ivanti Connect Secure, tracked as CVE-2025-22457. This flaw, rooted in a stack-based buffer overflow, is now confirmed to be actively exploited in the wild by a China-linked cyber-espionage group known as UNC5221.
The vulnerability resides in the HTTP(S) web server component of Ivantiβs Connect Secure VPN appliances, specifically in the /home/bin/web binary. The flaw originates from how the server processes HTTP headersβparticularly the X-Forwarded-For header.
βAn attacker may supply an X-Forwarded-For header value with a length greater than 50 characters and overflow the buff50 buffer on the stack,β explains Rapid7βs analysis.
The processing function does a superficial check using strspn to limit characters to digits and periods (0123456789.), but no bounds checking is done before copying into a 50-byte stack buffer using strlcpy. This oversight opens the door to stack smashingβeven with a restricted character set.
Ivanti initially underestimated the risk, classifying the bug as a non-exploitable product issue. βIt was evaluated and determined not to be exploitable as remote code execution and didnβt meet the requirements of denial of service,β the company stated.
However, Rapid7βs proof-of-concept shows otherwise. With sophisticated memory manipulation techniques, attackers can hijack the control flowβeven under the constraints imposed by the input filter. Worse still, no authentication is required, and no user interaction is needed. This makes it a dream exploit for remote attackers.
Mandiant and Googleβs Threat Intelligence Group have confirmed exploitation of CVE-2025-22457 by a Chinese-nexus espionage actor, which has been leveraging the flaw since mid-March 2025.
CVE-2025-22457 affects a wide range of Ivanti products:
Ivanti Connect Secure versions 22.7R2.5 and earlierPulse Connect Secure 9.1R18.9 and earlier (now end-of-support)Ivanti Policy Secure 22.7R1.3 and earlierIvanti Neurons for ZTA Gateways 22.8R2 and earlierFixes have been staggered:
Ivanti Connect Secure: Patched in 22.7R2.6 (released February 2025)Policy Secure: Patch expected April 21ZTA Gateways: Patch scheduled April 19In addition, Ivanti recommends:
Monitoring the Integrity Checker Tool (ICT) for signs of compromiseWatching for web server crashesPerforming a factory reset if compromise is detected before restoring the appliance with the patched software versionThe security research community now has access to a public proof-of-concept exploit, available on GitHub. While this promotes transparency and helps defenders test and secure their infrastructure, it also significantly lowers the bar for threat actors to exploit this flaw at scale.