RCE Exploit Uncovered in Ivanti VPN After Silent Patch Oversight

A critical remote code execution (RCE) path has been uncovered in Ivanti’s Connect Secure VPN appliances, just days after active exploitation was linked to a Chinese threat actor group, according to SecurityWeek.

Researchers at Rapid7 reverse-engineered the vulnerability (CVE-2025-22457), which had been silently patched by Ivanti in February without a proper advisory or CVE assignment. It took the intervention of Mandiant’s incident response team, investigating in-the-wild activity, to prompt public disclosure and an official fix.

The vulnerability arises from an unchecked buffer overflow in the HTTP(S) component of the Connect Secure software. Rapid7 found that by manipulating the “X-Forwarded-For” header, attackers could overwrite key memory locations, escalating a simple crash into full RCE. Despite Ivanti’s initial internal assessment dismissing the flaw as a non-exploitable product bug, subsequent findings confirmed it could be leveraged through sophisticated techniques.

The publication of proof-of-concept exploit code underscores the widening gap between the capabilities of state-sponsored attackers and the patch evaluation practices of some vendors. Rapid7 demonstrated that the path from crash to working exploit could be achieved in under a week—highlighting how silent fixes leave users exposed while threat actors quietly develop attack chains. This case serves as a reminder that adversaries are actively analyzing vendor updates to uncover hidden vulnerabilities.

Patches for Ivanti Connect Secure version 22.7R2.6 are now available and should be applied immediately. Ivanti has also committed to releasing updates for its Policy Secure and ZTA Gateway platforms later this month. Meanwhile, organizations are advised to monitor for signs of repeated web server crashes, which may indicate brute-force attempts to bypass address space layout randomization (ASLR) protections during exploitation efforts.