Critical Vulnerabilities in Ivanti Products Leave Enterprises Exposed to Remote Attacks
Ivanti has released urgent patches addressing four high-severity vulnerabilities9 (CVE-2025-22457, CVE-2025-22467, CVE-2024-38657, and CVE-2024-10644)affecting its widely used Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) products. These flaws open the door to remote code execution, unauthorized file manipulation, and command injection, posing a serious risk to organizations globally. Given their use in managing secure remote access, these vulnerabilities could allow attackers to infiltrate internal networks, execute malicious payloads, and maintain persistence. Ivanti strongly urges all users to update their systems immediately, as no workarounds exist.
Technical Description
These vulnerabilities impact the core architecture of Ivanti’s access solutions, with each flaw allowing attackers primarily with authenticated access to bypass critical security controls and take over vulnerable systems.
CVE-2025-22457 is a new addition to the list and involves improper handling of file operations, which can allow an authenticated attacker to write arbitrary files on the system. This file write vulnerability, if chained with other flaws, can lead to code execution or backdoor implantation. It affects Ivanti Connect Secure versions prior to 22.7R2.5 and Policy Secure versions prior to 22.7R1.3.
CVE-2025-22467 is a stack-based buffer overflow vulnerability, allowing attackers to overwrite memory and execute arbitrary code. This flaw, found in versions of Connect Secure before 22.7R2.6, is especially dangerous as it can grant full control over the system to an attacker with session access. Rated CVSS 9.9, it is the most severe of the group.
CVE-2024-38657 impacts Connect Secure prior to 22.7R2.4 and Policy Secure before 22.7R1.3, allowing administrators (or compromised admin sessions) to manipulate file names and paths, effectively writing files to arbitrary locations. This could be used to deploy malware, overwrite legitimate files, or maintain unauthorized persistence.
CVE-2024-10644 allows for remote command injection via crafted requests submitted by an authenticated admin. Once exploited, it could give attackers access to system-level operations, enabling data theft, privilege escalation, or malware deployment. Like the previous, it affects versions prior to 22.7R2.4.
Together, these vulnerabilities present a potent risk, especially when chained. Attackers could combine file write and command injection capabilities to execute persistent malware, bypass monitoring tools, and pivot deeper into the network.
Impact
The affected systems are typically used to secure remote connections to corporate networks, meaning any breach could have a ripple effect across entire IT infrastructures. Once inside, attackers can install backdoors, exfiltrate sensitive data, or move laterally within the organization.
The following versions are impacted:
- Ivanti Connect Secure: versions before 22.7R2.6
- Ivanti Policy Secure: versions before 22.7R1.3
- Ivanti Secure Access Client (ISAC): versions before 22.8R1
Given the CVSS scores ranging from 9.1 to 9.9, these vulnerabilities are considered critical. No mitigations exist, and users must upgrade to protected versions to close the attack window. With no known mitigations or workarounds, immediate updates are the only effective solution to prevent exploitation.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access, Execution, Persistence |
| Technique Name | Exploitation of Remote Services |
| Sub Technique Name | Remote Code Execution via Authenticated Session |
| Attack Type | File Write Abuse, Stack Overflow, Code Injection |
| Targeted Applications | Ivanti Connect Secure, Policy Secure, ISAC |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-22457, CVE-2025-22467, CVE-2024-38657, CVE-2024-10644 |
Recommended Actions
These newly discovered vulnerabilities in Ivanti’s remote access suite are a stark reminder of the critical role that access management tools play in organizational security. With attackers increasingly targeting remote access platforms, it’s vital to stay ahead of threats through rapid patching and proactive monitoring. Businesses that fail to act could face costly breaches, downtime, and reputational damage.
It’s highly advised to Update to the following versions of:
- Ivanti connect secure to : 7R.6 or later
- Ivanti Policy Secure: 7R1.3 or later
- Ivanti Secure Access Client: 8R1 or later