Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing Campaign Targeting Ivanti Products
Alerts

Ongoing Campaign Targeting Ivanti Products

7 April 2025

Ivanti has reported active exploitation of a critical vulnerability affecting multiple products, including Ivanti Connect Secure and Pulse Connect Secure. Users and administrators of the affected products are advised to update to the latest version.

A critical vulnerability, identified as CVE-2025-22457, has been reported in Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.0 out of 10, and is reportedly being actively exploited.

Successful exploitation of the stack-based buffer overflow vulnerability could allow an unauthenticated attacker to perform remote code execution.

Affected Product Versions:

  • Ivanti Connect Secure: 22.7R2.5 and prior

  • Pulse Connect Secure: 9.1R18.9 and prior

  • Ivanti Policy Secure: 22.7R1.3 and prior

  • ZTA Gateways: 22.8R2 and prior

Users and administrators of affected Ivanti Connect Secure versions are advised to update to the latest version immediately.

For the other products, Ivanti has recommended the following:

  • Pulse Connect Secure 9.1x: Contact Ivanti to migrate. This solution reached End-of-Support on December 31, 2024, and no longer receives any code changes. Ivanti cannot provide guidance to customers who stay on an unsupported version. Users and administrators of affected versions should migrate to a secure platform to ensure their security.

  • Ivanti Policy Secure: A patch is in development and will be available on April 21, 2025. As the product is not internet facing, the risk to this product is greatly reduced. Ivanti is not aware of the vulnerability being exploited in Ivanti Policy Secure.

  • Ivanti ZTA Gateways: A patch is in development and will be automatically applied to environments on April 19, 2025. The Ivanti Neurons ZTA gateways cannot be exploited when in production. If a gateway for this solution is generated and left unconnected to a ZTA controller, then there is a risk of exploitation on the generated gateway. Ivanti is not aware of the vulnerability being exploited in ZTA gateway.

To aid in identifying compromised system(s), we recommend monitoring your Integrity Checker Tool (ICT), as well as checking for these indicators of compromise (IOCs), as provided by Mandiant:

Indicators of Compromise

Code Family

MD5

Filename

Description

TRAILBLAZE

4628a501088c31f53b5c9ddf6788e835

/tmp/.i

In-memory dropper

BRUSHFIRE

e5192258c27e712c7acf80303e68980b

/tmp/.r

Passive backdoor

SPAWNSNARE

6e01ef1367ea81994578526b3bd331d6

/bin/dsmain

Kernel extractor & encryptor

SPAWNWAVE

ce2b6a554ae46b5eb7d79ca5e7f440da

/lib/libdsupgrade.so

Implant utility

SPAWNSLOTH

10659b392e7f5b30b375b94cae4fdca0

/tmp/.liblogblock.so

Log tampering utility

More information is available here:

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability


Back to top