Following our recent update regarding the Ivanti VPN RCE vulnerability (CVE-2025-22457), we continued with the threat-focused hunting efforts, looking for suspicious IOC hits.
Axon reports have been published for Team Axon customers, including a list of IOCs and IOC Sweep results. Relevant hits that require your attention will be mentioned in the AXON report.
We continue to monitor CVE-2025-22457 and will provide further updates as necessary. If you have any questions or need further assistance, please feel free to reach out.
Sincerely, Team Axon
Posted Apr 14, 2025 - 08:15 UTC
Investigating
Team Axon is aware of a recently disclosed Remote Code Execution (RCE) vulnerability affecting several Ivanti products related to VPN functionality.
The vulnerability, CVE-2025-22457, is a stack-based buffer overflow that impacts the following Ivanti versions:
- Ivanti Connect Secure prior to version 22.7R2.6
- Ivanti Policy Secure prior to version 22.7R1.4
- Ivanti ZTA Gateways prior to version 22.8R2.2
- Pulse Connect Secure (EoS) prior to version 9.1R18.9
This flaw allows a remote, unauthenticated attacker to achieve remote code execution. While no public Proof-of-Concept (PoC) exploit has been released, the vulnerability is known to have been exploited in the wild.
To reduce risk, we strongly recommend:
- Applying available security patches to all affected Ivanti applications and appliances. (Note: Some patches may not yet be available; we advise monitoring vendor updates closely
Team Axon is actively investigating customer environments for any signs of exploitation. Should we identify affected systems, impacted customers will be notified directly.
If you have any questions or require assistance, please don’t hesitate to reach out.