A serious flaw in Ivanti’s Connect Secure VPN is now out in the open. Security firm Rapid7 has revealed that the issue leads to remote code execution (RCE). Hackers linked to China have already started exploiting the bug, tracked as CVE-2025-22457.
Ivanti quietly patched the flaw back in February. However, the company labeled it as a basic “product bug” and did not publish any security advisory or assign a CVE ID. That changed when Mandiant spotted the flaw being used in a real-world attack. Ivanti then confirmed the vulnerability and shared patch details.
The bug lies in the VPN’s web server. A specific HTTP header—X-Forwarded-For—can trigger a buffer overflow. When crafted the right way, this header overflows the system’s memory and gives attackers full access to the server.
Rapid7 has now published a detailed breakdown. Their team showed how an attacker can go from a crash to full remote access using a few custom headers. They found that altering the length of the X-Forwarded-For value breaks memory limits, allowing code to run on the device.
Ivanti initially claimed the flaw could not cause remote code execution. They believed it didn’t meet the conditions for a denial-of-service risk either. But after further analysis, Ivanti admitted that the issue could be exploited by advanced attackers.
The company now advises all users to upgrade to Ivanti Connect Secure version 22.7R2.6. This version contains the proper fix. Ivanti also plans to roll out patches for Policy Secure on April 21 and ZTA Gateways on April 19.
The vulnerability affects Connect Secure versions 22.7R2.5 and earlier, and also impacts unsupported Pulse Connect Secure 9.x devices. These older versions are no longer safe to use. Ivanti strongly recommends switching away from them.
Rapid7 says attackers can easily test for the flaw. If they guess the wrong memory address, the server crashes and restarts. A crash log, therefore, may reveal signs of attempted exploitation. Companies should check their systems for these events.
The flaw has a CVSS score of 9.0, marking it as a critical security threat. Rapid7 highlighted how quickly they developed the exploit. It took them only four business days to move from an initial crash to full remote code execution.
This speed shows how skilled and well-funded attackers can exploit even quietly patched bugs. When vendors hide or downplay security issues, it gives hackers an advantage.
Organizations using Ivanti VPN appliances must act fast. Update to the latest version. Look for unusual server restarts or crash logs. And if you still run Pulse Connect Secure, it’s time to retire those systems.
