CVE-2025-22457

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Published: Apr 3, 2025
Updated: Nov 16, 2025
CVE: CVE-2025-22457
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWEs:

Affected Software
References

Software	From	Fixed in
ivanti / connect_secure	22.7-r1.5	22.7-r1.5.x
ivanti / connect_secure	22.7-r1.4	22.7-r1.4.x
ivanti / connect_secure	22.7-r1.3	22.7-r1.3.x
ivanti / connect_secure	22.7-r1.2	22.7-r1.2.x
ivanti / connect_secure	22.7	22.7.x
ivanti / connect_secure	22.7-r1	22.7-r1.x
ivanti / connect_secure	22.7-r1.1	22.7-r1.1.x
ivanti / connect_secure	22.7-r2	22.7-r2.x
ivanti / connect_secure	22.7-r2.1	22.7-r2.1.x
ivanti / connect_secure	22.7-r2.2	22.7-r2.2.x
ivanti / policy_secure	22.7	22.7.x
ivanti / policy_secure	22.7-r1	22.7-r1.x
ivanti / policy_secure	22.7-r1.1	22.7-r1.1.x
ivanti / connect_secure	22.7-r2.3	22.7-r2.3.x
ivanti / connect_secure	22.7-r2.4	22.7-r2.4.x
ivanti / connect_secure	22.7-r2.5	22.7-r2.5.x
ivanti / policy_secure	22.7-r1.2	22.7-r1.2.x
ivanti / connect_secure	-	22.7
ivanti / policy_secure	-	22.7
ivanti / policy_secure	22.7-r1.3	22.7-r1.3.x
ivanti / zero_trust_access_gateway	-	22.8
ivanti / zero_trust_access_gateway	22.8	22.8.x
ivanti / zero_trust_access_gateway	22.8-r2.1	22.8-r2.1.x

Vulnerability Database

308,485

CVE-2025-22457

Deep Security Visibility Without the Complexity