February 14 Advisory: Critical Vulnerabilities in Ivanti Connect Secure, Policy Secure, and CSA [CVE-2025-22467 & 3 Others]
Date of Disclosure (source): February 11, 2025
Several vulnerabilities were discovered in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Cloud Services Appliance (CSA) on February 11, 2025. Ivanti disclosed a total of ten vulnerabilities, eight in their February Security Advisory and two in their CSA Security Advisory. Of the ten newly identified vulnerabilities, four received CVSS scores of 9.1 or higher (critical severity).
Breakdown of critical vulnerabilities:
- CVE-2025-22467 is a stack-based overflow vulnerability affecting Ivanti Connect Secure prior to version 22.7R2.6, with a CVSS score of 9.9. Successful exploitation allows a remote authenticated attacker to achieve remote code execution (RCE)
- CVE-2024-38657 and CVE-2024-10644 are critical vulnerabilities affecting Ivanti Connect Secure (prior to version 22.7R2.4) and Policy Secure (prior to version 22.7R1.3), both earning a CVSS score of 9.1.
- CVE-2024-38657 may allow a remote authenticated attacker with administrative privileges to write arbitrary files if exploited.
- CVE-2024-10644 may allow a remote authenticated attacker with administrative privileges to achieve RCE if exploited.
- CVE-2024-47908 is a critical vulnerability affecting the admin web console of Ivanti Cloud Services Appliance (CSA) prior to version 5.0.5, with a CVSS score of 9.1. Successful exploitation allows a remote authenticated attacker with administrative privileges to achieve remote code execution (RCE)
It’s interesting that all of these vulnerabilities require authentication and all but one require administrative privileges. This represents a significant hurdle in successfully exploiting these vulnerabilities compared to those that allow unauthenticated exploitation. Despite this, all these vulnerabilities were assigned critical severity scores by Ivanti.
The vendor has stated that they are unaware of any of these vulnerabilities being actively exploited although Ivanti vulnerabilities have been historically targeted in the past.
As of February 12, 2025, there are 16 Ivanti vulnerabilities, including seven disclosed in the past year, listed in CISA’s Known Exploited Vulnerabilities catalog that affect one or more of the following products:
- Ivanti Pulse Secure (rebranded as Ivanti Connect Secure in 2020)
- Ivanti Connect Secure
- Ivanti Policy Secure
- Ivanti Cloud Services Appliance
Given the severity of these vulnerabilities and the historical targeting of Ivanti, organizations should move quickly to apply the patches and mitigations described in the vendor Advisories.
| Field | Details | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-ID |
|
|||||||||||
| Vulnerability Description |
|
|||||||||||
| Date of Disclosure |
|
|||||||||||
| Affected Assets |
|
|||||||||||
| Vulnerable Software Versions |
|
|||||||||||
| PoC Available? | We did not observe any public exploits available for these vulnerabilities at the time of writing. | |||||||||||
| Exploitation Status | We did not observe any of these vulnerabilities on CISA’s list of known exploited vulnerabilities, and Ivanti stated that they are unaware of any active exploitation. | |||||||||||
| Patch Status | These vulnerabilities have been addressed and patched by Ivanti. See their February Security Advisory and CSA Security Advisory for more instructions. | |||||||||||
Censys Perspective
At the time of writing, Censys observed 33,232 of exposed Ivanti Connect Secure and Ivanti CSA instances online. A large proportion of these (28%) are geolocated in the United States. Note that not all instances observed are necessarily vulnerable as we do not always have specific versions available.
We did, however, see 14,574 instances of Ivanti Connect Secure exposing a version that may indicate vulnerability to CVE-2025-22467 (versions < 22.7R2.6) and CVE-2024-38657/CVE-2024-10644 (versions < 22.7R2.4). See the table below for the versions we saw most frequently exposed.
| Version | Host Count |
|---|---|
| 9.1.18 | 10106 |
| 9.1.14 | 919 |
| 22.3.17 | 711 |
| 8.3.7 | 497 |
| 9.1.11 | 249 |
| 9.1.15 | 194 |
| 22.2.16 | 142 |
| 8.1.15 | 126 |
| 9.1.12 | 120 |
| 9.1.13 | 118 |
There’s a large number of versions matching 9.X and 8.X, versions of Ivanti Connect Secure (previously known as Pulse Connect Secure), that have reached their end of engineering and support dates. Ivanti has strongly urged customers to upgrade these instances to Ivanti Connect Secure 22.7 to take advantage of their new security updates and features.
Map of Exposed Ivanti Connect Secure and CSA Instances
services.software: (vendor="Ivanti" and product: {"Connect Secure", "Cloud Services Appliance"}) and not labels: {honeypot, tarpit}
(host.services.software: (vendor:"Ivanti" and product: {"Connect Secure", "Cloud Services Appliance"}) and not host.labels.value: {"HONEYPOT", "TARPIT"}) or (web.software: (vendor:"Ivanti" and product: {"Connect Secure", "Cloud Services Appliance"}) and not web.labels.value: {"HONEYPOT", "TARPIT"})
(host.services.software: (vendor="Ivanti" and product: {"Connect Secure", "Cloud Services Appliance"}) or web_entity.instances.software: (vendor="Ivanti" and product: {"Connect Secure", "Cloud Services Appliance"})) and not host.labels: {honeypot, tarpit}
Censys ASM Risk Query [CVE-2024-10644 & CVE-2024-38657]:
risks.name = "Vulnerable Ivanti Connect Secure Application [CVE-2024-10644 & CVE-2024-38657]"
Censys ASM Risk Query [CVE-2025-22467]:
risks.name = "Vulnerable Ivanti Connect Secure Application [CVE-2025-22467]"
References
- February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)
- Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-47908, CVE-2024-11771)
- CVE-2025-22467 NVD Advisory
- CVE-2024-10644 NVD Advisory
- CVE-2024-47908 NVD Advisory
