Ivanti Connect Secure: the perimeter that keeps breaking

On April 3, 2024, Ivanti CEO Jeff Abbott published an open letter committing the company to CISA’s Secure-by-Design pledge. Ivanti was the first signatory. Exactly one year later, on April 3, 2025, the company disclosed CVE-2025-22457: a stack-based buffer overflow on the unauthenticated path of Connect Secure that a China-nexus actor had already weaponized in the wild. The patch had shipped on February 11, classified internally as a low-risk product defect — Ivanti’s own analysis concluded the bug couldn’t be RCE and didn’t even rise to DoS. Mandiant’s account is that UNC5221 reverse-engineered the diff, escaped the character-set constraint Ivanti’s analysts had decided made the bug unexploitable, and used the patch itself as a roadmap.

Five bugs, one product, fifteen months

Between January 2024 and April 2025, CISA added five Ivanti Connect Secure, Policy Secure, and ZTA Gateway vulnerabilities to KEV. All five are ransomware-tagged. All five are unauthenticated network bugs in the same product family.

• CVE-2023-46805 (auth bypass, CWE-287) and CVE-2024-21887 (command injection, CWE-77), disclosed January 10, 2024 and chained for unauthenticated RCE. By January 16, Volexity’s scans counted over 2,100 ICS appliances compromised with the GIFTEDVISITOR webshell.
• CVE-2024-21893 (SSRF, CWE-918), disclosed January 31, 2024. Lives in the SAML component, which Ivanti’s January 10 XML mitigation did not cover. UNC5325 had been chaining it with the still-reachable command-injection sink for twelve days before disclosure to bypass the workaround Ivanti was telling customers to deploy.
• CVE-2025-0282 (stack overflow, CWE-121, CVSS 9.0), disclosed January 8, 2025. Unauthenticated, RCE as root, exploited in the wild three weeks before disclosure. Mandiant attributed activity to UNC5337 and then merged that cluster into UNC5221. Same actor.
• CVE-2025-22457 (stack overflow, CWE-121, NVD CVSS 9.8), disclosed April 3, 2025. The one Ivanti shipped a patch for in February without an advisory because the in-house analysis said it couldn’t be RCE.

One product line, the same suspected China-nexus actor cycling it four separate times, two textbook stack overflows in C four months apart, and a mitigation bypass that arrived faster than the customer-facing patch.

The mitigation that mitigated nothing

Ivanti’s January 10, 2024 advisory shipped an XML workaround instead of a patch. Customers were told to apply it and run the Integrity Checker Tool. Three weeks later, CVE-2024-21893 disclosed an SSRF in the SAML component, which the workaround did not cover. Mandiant subsequently documented attackers commenting out a single line in scanmgr.py, recalculating SHA-256 hashes in /home/etc/manifest, and abusing directories the ICT excluded by design. CISA’s February 29, 2024 advisory (AA24-060B) said the integrity checker was “ineffective for detecting compromises” in active intrusion scenarios.

CVE-2024-22024, an XXE in the same SAML component that also bypassed the mitigation, prompted Supplemental Direction V2 on February 9, 2024. The pattern was already visible: a workaround scoped narrowly enough to miss the next bug, an integrity tool the actor figured out how to launder hashes around, and a federal agency telling customers to disconnect the appliance and rebuild from known-good. ED 24-01 Supplemental V1 ordered exactly that on January 31, 2024, with a deadline of 11:59 PM EST February 2.

The patch as roadmap

The CVE-2025-22457 timeline is the one Ivanti should be reckoning with internally.

February 11, 2025: Connect Secure 22.7R2.6 ships. CVE-2025-22457 is in the release notes as a low-risk product-defect fix. Ivanti’s analysis concluded the bug couldn’t be RCE and didn’t even rise to DoS, on the reasoning that the overflowed buffer accepted only a constrained character set. No advisory. No KEV entry.

Mid-March 2025: per Mandiant, UNC5221 reverse-engineers the patch, works through what Mandiant calls a “complicated process” to escape the character-set constraint, and begins exploiting unpatched ICS 9.x and ICS 22.7R2.5 in the wild.

April 3, 2025: Ivanti goes public. NVD scores the bug 9.8. Policy Secure customers wait until April 21 for a fix. ZTA Gateway customers wait until April 19. Two of three product lines have no patch on the day active exploitation is confirmed.

watchTowr’s later writeup described the function as “remarkably straightforward” to crash and noted it “is somewhat surprising that Ivanti didn’t find the vulnerability during routine fuzz testing.” The root cause: X-Forwarded-For is strspn-filtered to digits and dots, then copied into a stack buffer with no length check. On CVE-2025-0282 three months earlier, watchTowr’s binary diff found Ivanti developers had reached for strncpy instead of strcpy, the right instinct, but passed the source length as the bound rather than the destination buffer’s size, defeating the protection entirely.

These are the kinds of bugs basic SAST and a weekend of fuzzing find. They were instead found by a nation-state actor reading release notes.

Why this keeps happening

The codebase is the answer. Connect Secure is the rebadged Pulse Connect Secure, which Ivanti acquired from Siris Capital in December 2020. Pulse Secure was spun out of Juniper in 2014. Before that, the IVE codebase ran under NetScreen, and before NetScreen, Neoteris, founded in 2000. Memory-unsafe C handlers on the unauthenticated path are tech debt with passport stamps from four parent companies, and the institutional memory got thinner with every transaction.

The Secure-by-Design arc makes the pattern worse, not better. The pledge’s seven goals include publishing a memory-safety roadmap. Nine months after Ivanti became the first signatory, CVE-2025-0282 hit KEV. Three months after that, CVE-2025-22457. Both CWE-121, both on the pre-auth path, both with elementary causes. There is no public, dated Ivanti memory-safety roadmap visible to the open web that names a target for migrating the Connect Secure web binary off C. The post-pledge bug pattern is identical to the pre-pledge bug pattern.

The fair version: Fortinet, Cisco ASA, Palo Alto GlobalProtect, and F5 BIG-IP each carry their own KEV-listed perimeter bugs from the same era. The structural argument is not that Ivanti is uniquely bad. It is that the entire SSL-VPN category is running C code from the 2000s on the most exposed surface in the enterprise, and the products acquired through private-equity rollups carry the heaviest debt with the thinnest memory of why the code looks the way it does.

What you should actually expect

If Pulse Connect Secure 9.1x is still online in your environment, that’s the finding. End of support was December 31, 2024. There is no patch for CVE-2025-22457 on that train, and there will not be one. Put that in front of leadership as a lifecycle problem rather than a CVE number.

For supported 22.x: factory reset before patching, not patch in place. SPAWNANT specifically regenerates an RSA key and re-signs the manifest to defeat the integrity checker, so a clean ICT result on a previously-exposed appliance is not trustworthy on its own. Pair the rebuild with credential rotation across the admin enable password, stored API keys, every local account including auth-server service accounts, and any cert or key the appliance touched.

Treat ICT as one signal among several. Volexity’s open-source YARA rules and the IOCs in CISA AA24-060B give a SOC something the appliance cannot quietly lie about. Network-segment the gateway down to a published list of internal services and ports, not “the LAN.” The June 2024 CISA/FBI/NSA paper on network-access security counted “over 22 KEVs” from perimeter VPN concentrators and recommended a roadmap toward zero-trust replacements. That recommendation reads differently after the fifth ransomware-tagged ICS bug than it did after the first.

PatchDay Alert tracks each new advisory in this product line the day it lands, with the version-fix matrix and KEV deadline already in the digest, so the morning goes to the rebuild and not to reading three vendor portals.

The reframe

Five bugs in fifteen months, the same assessed cluster four times, and a pledge whose first signatory shipped two CWE-121s on the unauthenticated path inside the pledge’s first year. The product is not failing to be secured. It is being secured at the pace an aging C codebase under PE ownership allows, against an adversary who reads patches faster than the vendor classifies them. The next advisory will not be the last one.