25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Ivanti Connect Secure, Policy Secure, ZTA Gateways Flaw Under Active Exploitation

Posted By on Apr 7, 2025

A vulnerability affecting Ivanti Connect Secure, Policy Secure, Neurons for ZTA Gateways, and Pulse Connect Secure is being actively exploited by a China-nexus threat actor, according to a recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The stack-based buffer overflow vulnerability is tracked as CVE-2025-22457 and is rated critical, with a CVSS v3.1 base score of 9.0. Successful exploitation of the vulnerability can lead to remote code execution by an unauthenticated threat actor, allowing them to take full control of an affected system.

Mandiant reports that the vulnerability has been exploited in attacks on legacy VPNs by a threat actor tracked as UNC5221. Malware was deployed after exploiting the vulnerability, and Mandiant has also observed the threat actor attempting to modify the Integrity Checker Tool to avoid detection.

The vulnerability affects the following products:

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

  • Pulse Connect Secure (version 9.1x, which reached end-of-support December 31, 2024)
  • Ivanti Connect Secure (version 22.7R2.5 and earlier)
  • Policy Secure and Neurons for ZTA gateways

Ivanti fixed the vulnerability in Ivanti Connect Secure 22.7R2.6, which was released on February 11, 2025. No patch is being released for Pulse Connect Secure as the product has reached end of life. Customers still using the legacy solution should ensure they migrate to Ivanti Connect Secure or an alternative secure solution.

Ivanti has warned customers that Policy Secure should not be Internet facing, and if deployed according to Ivanti guidance, users are at a reduced risk from the vulnerability. Ivanti has also advised customers that the vulnerability cannot be exploited against Neurons for ZTA gateways when in production.

Ivanti is aware of limited cases of customers having the vulnerability exploited while running Ivanti Connect Secure 22.7R2.5 (or earlier versions) or Pulse Connect Secure 9.1x. There are no known instances of exploitation against Ivanti Policy Secure or Neurons for ZTA gateways.

Customers should conduct threat hunting activities to determine if the vulnerability has already been exploited if they failed to update to the secure version of Ivanti Connect Secure (22.7R2.6) by February 28, 2025, and threat hunting activity is advised for all instances of Pulse Connect Secure (EoS), Policy Secure, and ZTA Gateways.

The recommended actions are to run an external Integrity Checker Tool (ICT) and also conduct threat hunting actions on systems connected to the Ivanti devices. If evidence of exploitation is found, the affected devices should be isolated, a forensic image taken, and compromised instances should be disconnected. If no compromise is identified, CISA recommends conducting a factory reset for the highest level of confidence. The recommended actions are included in the CISA alert.

“Following initial identification of the compromise by Ivanti’s Integrity Checker Tool (ICT), Ivanti quickly investigated, identified the vulnerability and disclosed it to customers. Additionally, Ivanti partnered with Mandiant to provide additional information to defenders. Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Customers running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory. Ivanti’s ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions,” explained Ivanti in a statement to The HIPAA Journal. “As network security devices and edge devices in particular remain a focus of sophisticated and highly persistent threat actors, Ivanti is committed to providing information to ensure defenders can take every possible step to secure their environments.”

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist