# [CRIT] CISA KEV: CVE-2025-22457 — Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

**Source:** CISA KEV
**Published:** 2025-04-04
**Article:** https://www.cisa.gov/known-exploited-vulnerabilities-catalog

## Threat Profile

CISA KEV entry. The U.S. federal "Known Exploited Vulnerabilities" catalog only adds CVEs that have been **observed exploited in the wild**. Federal civilian agencies are required to remediate by the published due date; the same prioritisation logic applies to any sensible enterprise SOC.

Vendor / Product: **Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow**

## Indicators of Compromise

- CVE-2025-22457 — match against your vulnerability scanner

## MITRE ATT&CK

- **T1190 — Exploit Public-Facing Application** (KEV implies active exploitation against exposed assets)

## Recommended hunts

Standard asset-exposure hunt — the canonical Splunk SPL and Defender KQL
live once in [`../_TEMPLATES.md#asset-exposure`](../_TEMPLATES.md#asset-exposure).
Substitute this CVE wherever the template references `<CVE>`:

- **CVE:** `CVE-2025-22457`

## Why this matters

Anything in CISA KEV is *currently* being exploited. Even if your scanners say "not vulnerable" because of patches, it's worth one quick check across your fleet — patch lag is the silent killer. Federal due-date dates also frequently match the timing your organisation will be asked about by auditors / regulators.

## Source body

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contains a stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.  Vendor: Ivanti, Product: Connect Secure, Policy Secure, and ZTA Gateways. Known ransomware use: Known. Federal patch due: 2025-04-11. CVE-2025-22457