CVE-2025-22457

CRITICAL KEV RANSOMWARE NUCLEI

Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow

Title source: metasploit
STIX 2.1

Exploitation Summary

CVE-2025-22457 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 4, 2025, with confirmed use in ransomware campaigns. EIP tracks 5 public exploits from researchers including sfewer-r7, securekomodo, Vinylrider, including a Metasploit module exploits/linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2025-22457, targeting Ivanti Connect Secure for unauthenticated remote code execution via a heap spray and stack pivot technique. It includes a reverse shell payload and brute-forces the libdsplibs.so base address.

Description

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Exploits (5)

nomisec WORKING POC 71 stars
by sfewer-r7 · remote
https://github.com/sfewer-r7/CVE-2025-22457

This is a functional exploit for CVE-2025-22457, targeting Ivanti Connect Secure for unauthenticated remote code execution via a heap spray and stack pivot technique. It includes a reverse shell payload and brute-forces the libdsplibs.so base address.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Ivanti Connect Secure (22.7r2.4 b3597)
No auth needed
Prerequisites: Network access to target · Open port 443 (HTTPS) · Netcat listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 19 stars
by securekomodo · dos
https://github.com/securekomodo/CVE-2025-22457

This is a scanner for CVE-2025-22457, a stack-based buffer overflow in Ivanti Connect Secure. It checks for vulnerability by sending a crafted X-Forwarded-For header and verifying crash conditions.

Classification
Scanner 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateways < 22.7R2.6 / 22.7R1.4 / 22.8R2.2
No auth needed
Prerequisites: Network access to the target Ivanti appliance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Vinylrider · dos
https://github.com/Vinylrider/ivantiunlocker

This repository provides a mitigation tool for CVE-2025-22457, an X-Forwarded-For header vulnerability in Ivanti/Juniper Secure Connect SSL VPN. It implements a Python-based HTTPS gateway that enforces password authentication before allowing access to the VPN appliance via iptables rules.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Secure Connect SSL VPN, Juniper SSL VPN
Auth required
Prerequisites: Network access to the VPN appliance · Ability to run a Python web server on port 443 · iptables access for firewall rule modification
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by TRone-ux · remote
https://github.com/TRone-ux/CVE-2025-22457

This is a functional exploit for CVE-2025-22457, targeting Ivanti Connect Secure for unauthenticated remote code execution via a heap spray and stack pivot technique. It includes a reverse shell payload and brute-forces memory addresses to achieve execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Ivanti Connect Secure (version 22.7r2.4 b3597)
No auth needed
Prerequisites: Network access to target · Open port 443 (HTTPS) · Netcat listener for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Stephen Fewer, Christophe De La Fuente · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457.rb

This Metasploit module exploits a stack-based buffer overflow in Ivanti Connect Secure (CVE-2025-22457) to achieve unauthenticated remote code execution. It uses heap spraying and ROP chain techniques to bypass ASLR and execute arbitrary commands.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Ivanti Connect Secure (versions 22.7R2.5 and earlier)
No auth needed
Prerequisites: Network access to the target · SSL/TLS connectivity to port 443
devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Connect Secure - Stack-based Buffer Overflow
CRITICALby s4e-io,pussycat0x
Shodan: http.title:"ivanti connect secure"
FOFA: title="ivanti connect secure"

References (2)

Core 2

Scores

CVSS v3 9.0
EPSS 0.5894
EPSS Percentile 98.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-04-04
VulnCheck KEV 2025-04-03
ENISA EUVD EUVD-2025-9646
Ransomware Use Confirmed
CWE
CWE-121 CWE-787
Status published
Products (6)
ivanti/connect_secure 22.7 (13 CPE variants)
ivanti/connect_secure < 22.7
ivanti/policy_secure 22.7 (5 CPE variants)
ivanti/policy_secure < 22.7
ivanti/zero_trust_access_gateway 22.8 (2 CPE variants)
ivanti/zero_trust_access_gateway < 22.8
Published Apr 03, 2025
KEV Added Apr 04, 2025
Tracked Since Feb 18, 2026