Skip to content

More than 2,850 Ivanti Connect Secure devices vulnerable to remote code execution attacks

Cyber threats are becoming increasingly complex. Recent security audits have revealed that the CVE-2025-22467 vulnerability in Ivanti Connect Secure (ICS) devices poses a serious global threat.

CVE-2025-22467 has a CVSS score of 9.9 and is classified as a critical flaw. It is a stack-based buffer overflow vulnerability that affects ICS versions prior to 22.7R2.6.

According to Shadowserver Foundation data, more than 2,850 devices remain vulnerable. The most affected countries are the United States (852 devices) and Japan (384 devices). The number of affected devices in other countries is as follows:

China – 129

Canada – 84

India – 29

Australia – 27

How does the vulnerability work?

The CVE-2025-22467 issue arises due to improper handling of user data. Exploiting this vulnerability allows an authenticated attacker to remotely execute malicious code and gain full control over the system. This can lead to:

  • Theft of confidential data
  • Attacks on corporate networks
  • Ransomware deployment to lock systems

There are no confirmed cases of exploitation yet, but given the severity of this vulnerability, hackers may soon start using it in attacks.

How to mitigate the vulnerability?

Ivanti has released the 22.7R2.6 update to address the issue. System administrators and device owners must take immediate action:

✅ Update ICS devices to the latest version.

✅ Strengthen system monitoring to detect attack indicators.

✅ Implement the principle of least privilege to restrict user access.

✅ Segment networks and limit direct internet access to ICS devices.

✅ Configure firewalls and intrusion detection/prevention systems (IDS/IPS) to automatically block suspicious traffic.

Recent months have seen an increase in attacks targeting Ivanti ICS devices. For example, the CVE-2025-0282 vulnerability was previously exploited to distribute the SPAWNCHIMERA malware. This poses a significant threat to large corporations and government organizations.

According to Shadowserver Foundation, more than 33,000 ICS devices are exposed to the internet, many of which remain unpatched. If not updated promptly, attackers will likely exploit this vulnerability.

Cyberattacks are becoming a daily challenge, especially as remote access and secure network infrastructure grow in importance. Ignoring the CVE-2025-22467 vulnerability could lead to major financial losses and data breaches.

Immediate actions required:

🔹 Update ICS devices without delay

🔹 Enable monitoring to detect attack attempts

🔹 Apply the principle of least privilege

🔹 Enhance network security with firewalls and IDS/IPS

🔹 Restrict direct internet access

Remember! System security relies on regular updates and robust protection measures. Delays can lead to severe consequences.