Cve-2025-22457

Jake AllmarkJake Allmark
3 min read

Every so often, a vulnerability surfaces that shakes up the cybersecurity community, catching the attention of researchers, enterprises, and threat actors all at once. CVE-2025-22457 is one of those bugs.

Disclosed publicly by Ivanti themselves in March 29, 2025, via an update to their security advisory portal, Even though Ivanti was the first to disclose the unknown vulnerability, the actual exploitation predates the advisory by at least two weeks.

CVE-2025-22457 is a authentication bypass vulnerability in Ivanti’s widely deployed Connect Secure and Policy Secure VPN appliances. The flaw is currently being actively exploited in the wild, with attackers using it to gain unauthenticated remote access, escalate privileges, and deploy post-exploitation payloads to maintain persistence or move laterally. According to multiple coordinated disclosures including advisories from CISA, Volexity, and Mandiant the flaw has been exploited by suspected Chinese state-sponsored threat actors since at least mid-March 2025, We don’t know for certain if Chinese APTs discovered the vulnerability themselves, but current evidence strongly suggests they were the first to exploit it as a zero-day before any public disclosure or patch.

How CVE-2025-22457 Works under the Hood of the Authentication Bypass:

The heart of this CVE is deceptively simple but extremely dangerous. It lies in how Ivanti C&S and Policy Secure appliances handle session authentication specifically how they interpret and validate session tokens, such as DSID and CLIENTCERT, which are used to track authenticated users across web sessions.

Under normal conditions, when a user logs in to the Ivanti VPN interface, a secure session token is generated and assigned to their browser in the form of a cookie. This token is meant to act as proof of authentication on subsequent requests to sensitive endpoints. However, in the vulnerable versions of the software, this token is not properly validated against the session's origin, integrity, or expiration. Instead of verifying whether the session ID was generated through a legitimate authentication flow, the backend blindly trusts its presence. If the right cookie is included in the request, the system assumes the user is already authenticated.

The attacker doesn't need to know any valid credentials. They don’t need to brute-force login pages or bypass MFA. They simply need to craft a request that includes a forged or replayed session token, and the appliance accepts it at face value therefore granting them full administrative access to the management interface. In practice, this can look as simple as an HTTP request to the administrative panel with a manually supplied DSID cookie set to an arbitrary or reused value. The system accepts the forged session and responds with privileged content as if the attacker were a fully authenticated administrator. This bypass is both silent and clean — no login is recorded, no audit trail is generated, and traditional monitoring tools may completely miss it unless they’re specifically looking for anomalies in session token behavior

Mitigations and Thoughts on the Vulnerability:

The Provider released patches addressing CVE-2025-22457 through a cumulative security update issued on March 29, 2025. Ivanti has provided an updated version of its Integrity Checker Tool, which scans the appliance for known indicators of compromise. especially considering that some of the threat actor activity observed has been memory-resident or designed to evade file-based detection entirely.

What makes this vulnerability so frustrating is how simple it is. This isn’t a complex exploit it’s a really basic failure to validate session tokens properly in a security product that's supposed to protect remote access, Ivanti's appliance trusted any request with the right-looking cookie, no matter where it came from or how it was generated. That’s not just a bug that’s just simple broken trust logic. worst part? It was being exploited before anyone even knew it ever existed. Ivanti need security hygiene, monitoring, and attention we give to endpoints and servers or this cycle’s just going to repeat.

More info on this if interested:

https://digital.nhs.uk/cyber-alerts/2025/cc-4641

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22457

https://securityonline.info/cve-2025-22457-unc5221-exploits-ivanti-zero-day-flaw-to-deploy-trailblaze-and-brushfire-malware/

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

0
Subscribe to my newsletter

Read articles from Jake Allmark directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityCVESecurityvpnIvantivulnerabilityauthentication

Written by

Jake Allmark
Jake Allmark