In April 2025, Ivanti disclosed a critical stack-based buffer-overflow vulnerability (CVE-2025-22457) affecting its Connect Secure and related products, which had been actively exploited by the China-linked threat group UNC5221 since mid-March in a cyber espionage campaign.
What happened ‘
On April 3, 2025, Ivanti disclosed a critical stack-based buffer overflow vulnerability, CVE-2025-22457, affecting several products, including Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA gateway appliances. Initially, Ivanti misclassified the flaw as a non-exploitable product bug.
However, new research revealed that the flaw had been actively exploited in the wild since mid-March 2025. On April 7, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-22457 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting its severe impact. According to cybersecurity firm Mandiant, a China-nexus threat group known as UNC5221 exploited the vulnerability in a cyber espionage campaign targeting Ivanti Connect Secure VPN devices.
UNC5221 had studied the patch released in ICS version 22.7R2.6 on February 11, 2025, and discovered a way to achieve remote code execution on earlier versions like 22.7R2.5. Ivanti confirmed limited exploitation among customers using outdated or end-of-life versions (e.g., ICS 9.X) and urged users to upgrade, run Ivanti’s ICT tool, and consider factory resets and privileged account audits.
In the know
The CISA KEV catalog functions as a centralized and authoritative resource that identifies vulnerabilities known to be actively exploited in the wild. The catalog serves a critical role in national cybersecurity by alerting organizations, including those in the healthcare sector, to prioritize remediation of the most urgent security flaws that pose a real-world threat. For healthcare organizations, which often rely on complex and interconnected digital systems to store and process sensitive patient data, the KEV catalog provides a clear, actionable roadmap to bolster their cybersecurity posture.
What was said
According to Ivantis’ incident notice, “Ivanti is disclosing one critical severity vulnerability in Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31, 2024), Ivanti Policy Secure and ZTA gateways.
This vulnerability has been fully patched in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug. Successful exploitation could lead to remote code execution.”
The team added that they “are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer received code support or changes.”
Ivanti encouraged customers to run the latest version of their software to avoid vulnerabilities, stating, “Customers have a significantly reduced risk from this vulnerability if they are running appliances on supported versions and in accordance with Ivanti's guidance: Ivanti always encourages customers to remain on the latest version of a solution so they can benefit from important security and product enhancements.”
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is CISA?
The CISA is a U.S. federal agency under the Department of Homeland Security (DHS) responsible for enhancing the security, resilience, and reliability of the nation’s critical infrastructure, including the healthcare sector, against cyber and physical threats.
What is the purpose of CISA’s Known Exploited Vulnerabilities (KEV) catalog?
The KEV catalog is a curated list of vulnerabilities that are actively exploited in the wild. CISA publishes and updates this catalog to help organizations prioritize and address the most dangerous cybersecurity flaws that pose real-world threats.
Why is it important for healthcare organizations to monitor the KEV catalog?
Healthcare organizations handle sensitive patient data and often use networked medical devices and systems. Monitoring the KEV catalog helps them stay ahead of actively exploited vulnerabilities that could lead to data breaches, operational disruption, or regulatory noncompliance (e.g., HIPAA violations).
How does CISA support healthcare cybersecurity?
CISA provides cybersecurity alerts, vulnerability disclosures, risk assessments, guidance documents, and tools like the KEV catalog to help healthcare organizations protect their systems. It also collaborates with HHS and sector-specific Information Sharing and Analysis Centers (ISACs).
Kirsten Peremore
