Ivanti Connect Secure - RCE (CVE-2025-22457)

CVE-2025-22457 is a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways, allowing remote unauthenticated attackers to execute arbitrary code on affected systems. This flaw could be exploited to gain full control over the targeted devices, potentially leading to data breaches, system compromise, or further attacks within the network.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-22457 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2025-22457. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit this vulnerability by sending specially crafted HTTP requests with an oversized X-Forwarded-For header to the /dana-na/auth/url_default/welcome.cgi endpoint, aiming to trigger a stack-based buffer overflow and achieve remote code execution.