Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Actively Exploited Critical Remote Code Execution vulnerability in Ivanti Products, Patch Immediately!
Image
Published : 04/04/2025
* Last update: 11/04/2025
* Affected software::- Pulse Connect Secure 9.1R18.9 and prior (END OF LIFE)
- Ivanti Connect Secure 22.7R2.5 and prior
- Ivanti Policy Secure 22.7R1.3 and prior
- ZTA Gateways 22.8R2 and prior
* Type: Remote Code Execution
* CVE/CVSS
→ CVE-2025-22457: CVSS 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Sources
Risks
CVE-2025-22457 is a critical vulnerability that severely impacts the affected systems' confidentiality, integrity and availability. It was first remediated in February 2025 and described as a product bug due to its high attack complexity.
The vulnerability is now being actively exploited in End-of-Support Pulse Connect Secure 9.1x appliances. However, other supported Ivanti products are also vulnerable, and exploitation could be observed in the future.
Threat actors have actively targeted Ivanti Connect Secure devices. Security researchers and government agencies (like CISA) have warned about state-sponsored attacks leveraging unpatched vulnerabilities in Ivanti's VPN appliances.
Google reported that vulnerabilities in Ivanti Connect Secure devices were being actively exploited in the wild in Q1 2025.
UPDATE 2025-04-11: A proof-of-concept (PoC) exploit for this vulnerability has been publicly released, which increases the chances of further exploitation. There are reports of exploitation in the wild.
Description
CVE-2025-22457 is a critical stack-based buffer overflow vulnerability that allows a remote unauthenticated attacker to achieve remote code execution.
The vulnerability affects multiple Ivanti products, but the risk significantly increases in unsupported product versions.
Recommended Actions
End Of Support
The CCB strongly advises owners of End-of-Support devices to contact Ivanti to migrate to a secure platform.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
For devices with no patches available yet, please monitor the patch release dates and patch once they become available. Make sure that appliances are not exposed to the internet if it is not necessary.
Run the Ivanti external Integrity Checker Tool (ICT) to detect signs of compromise. The ICT offers a snapshot of the current state of the appliance and cannot necessarily detect threat actor activity if the appliance has been returned to a clean state. The ICT does not scan for malware or IoCs.
In case of compromise, perform a factory reset on the appliances before updating to the latest non-vulnerable versions.
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://www.cisa.gov/news-events/alerts/2025/03/28/cisa-releases-malware-analysis-report-resurge-malware-associated-ivanti-connect-secure
https://www.cisa.gov/news-events/analysis-reports/ar25-087a
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day