CVE-2025-22457 CRITICAL

CVE-2025-22457

Weakness CWE-121
KEV Status Known Exploited
Ransomware Used in campaigns
Published April 3, 2025
Last update February 26, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

CISA mandated remediation

02CISA Required Action

Apply mitigations as set forth in the CISA instructions linked below.

Key dates

03Disclosure timeline

April 3, 2025 CVE published
February 26, 2026 Record updated