Executive Summary
- CVSS: 9.8 (Critical)
- Affected Products: Ivanti Connect Secure ≤22.7R2.5, Pulse Connect Secure ≤9.1R18.9 (EoS), Ivanti Policy Secure ≤22.7R1.3, ZTA Gateways ≤22.8R2
- Urgency: Emergency – Actively exploited by China-nexus UNC5221 since March 2025; enables unauthenticated remote code execution on edge VPN appliances.
- Impact: Full system compromise; high confidentiality, integrity, and availability impact.
Vulnerability Overview
CVE-2025-22457 is a stack-based buffer overflow (CWE-121 / CWE-787) in Ivanti VPN appliances. It resides in the /home/bin/web HTTP(S) server binary’s processing of the X-Forwarded-For header. The service allocates a fixed 50-byte buffer without proper bounds checking, enabling an overflow when processing oversized header values. No authentication or user interaction is required.
Root cause: Improper input length validation in header handling logic.
Unauthenticated remote code execution on a VPN gateway is a worst-case initial access scenario. Organizations running Ivanti infrastructure need to know their patch status and whether UNC5221 TTPs are in their detection coverage.
Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.
Attack Vector
- Preconditions: Internet-exposed VPN web interface.
- Method:
- Send crafted HTTP request with oversized numeric-only
X-Forwarded-Forheader. - Trigger stack overflow to overwrite context variable pointers.
- Redirect execution flow into attacker-controlled heap memory after a ~2.3GB heap spray.
- Send crafted HTTP request with oversized numeric-only
- Constraints: Payload restricted to digits (0–9) and periods; requires advanced heap manipulation.
- Outcome: Remote code execution in web server context, enabling appliance takeover.
Exploitation Status
- PoC: Functional RCE exploit code developed within four business days of patch release.
- In the Wild: Yes — exploited by UNC5221 since mid-March 2025.
- Threat Actor: UNC5221 — China-linked cyber-espionage group targeting VPNs, firewalls, routers.
- Observed Campaigns: Targeted defense, telecom, financial, aerospace, and technology sectors.
- Post-Exploitation Payloads:
- TRAILBLAZE — in-memory loader for BRUSHFIRE.
- BRUSHFIRE — persistent passive backdoor.
- SPAWN suite — installer, tunneler, SSH backdoor.
Mitigation Steps
Immediate:
- Patch:
- Ivanti Connect Secure → 22.7R2.6
- Policy Secure → 22.7R1.4
- ZTA Gateways → 22.8R2.2
- Pulse Connect Secure: migrate (EoS).
- Disconnect unpatched devices from the internet.
Threat Hunting:
- Run Ivanti’s external Integrity Checker Tool (ICT).
- Review authentication logs for anomalies.
- Search for malicious
X-Forwarded-Foractivity.
If Compromised:
- Isolate device, capture forensic images & memory.
- Factory reset from clean external image.
- Reissue all credentials, keys, and certificates.
- Reset domain accounts twice; revoke Kerberos tickets.
Hardening:
- Remove direct internet exposure where possible.
- Segment networks to contain breach paths.
- Monitor VPN-facing assets with EDR.
High-Risk Indicators
Indicator Type: File Path
Value: /tmp/* (suspicious naming patterns)
Confidence: High
Indicator Type: Process Injection
Value: web server process with injected TRAILBLAZE payload
Confidence: High
Indicator Type: Log String
Value: ERROR31093: Program web recently failed.
Confidence: Medium
Indicator Type: Network Pattern
Value: Repeated long X-Forwarded-For headers from Tor/VPN IPs
Confidence: High