Alert - Vulnerability impacting Ivanti Connect Secure, Policy Secure and ZTA Gateways

Number: AL25-004
Date: April 4, 2025

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On April 3, 2025, Ivanti released a security bulletin for Ivanti Connect Secure, Policy Secure, and ZTA Gateways addressing a critical vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. (CVE-2025-22457) affecting these products^{Footnote 1Footnote 3}. The vulnerability has been assigned a CVSS severity rating of 9.0 out of 10^{Footnote 3}.

CVE-2025-22457 is a stack-based buffer overflow vulnerability that could allow a remote unauthenticated attacker to achieve remote code execution.

In response to this security bulletin, the Cyber Centre released AV25-184 on April 3, 2025^{Footnote 2}.

The following Ivanti products are affected by this vulnerability:

• Ivanti Connect Secure – version 22.7R2.5 and prior
• Pulse Connect Secure (EoS) – version 9.1R18.9 and prior
• Ivanti Policy Secure – version 22.7R1.3 and prior
• ZTA Gateways – version 22.8R2 and prior

Note that customers have a significantly reduced risk from this vulnerability if they are running Ivanti appliances on supported versions and in accordance with Ivanti's guidance: Ivanti always encourages customers to remain on the latest version of a solution so they can benefit from important security and product enhancements^{Footnote 1}.

The Cyber Centre is aware of reports that this vulnerability has been exploited^{Footnote 4}.

Suggested actions

The Cyber Centre strongly recommends that organizations patch the affected Ivanti instances to the following versions^{Footnote 1}:

• Ivanti Connect Secure – version 22.7R2.6 (released February 11, 2025)
• Pulse Connect Secure (EoS) – version 22.7R2.6^{Footnote 5}
• Ivanti Policy Secure – version 22.7R1.4 (available April 21,2025)
• ZTA Gateways – version 22.8R2 (available April 19, 2025)

Ivanti also recommends that customers monitor their external Integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. Checker Tool (ICT) and contact Ivanti Support if suspicious activity is identified.

The Cyber Centre recommends that organizations:

• Assess the installations of the affected Ivanti products and monitor for signs of exploitation.
• Apply software patches to affected Ivanti products as soon as they become available.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions^{Footnote 6} with an emphasis on the following strategies:

• Consolidate, monitor, and defend Internet gateways.
• Patch operating systems and applications.
• Isolate web-facing applications.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.