News and events Own Your Online External Link Report an incident
News and events Own Your Online External Link
  1. Welcome to CERT NZ
  2. Advisories
  3. CVE-2025-22457 affecting certain Ivanti products

CVE-2025-22457 affecting certain Ivanti products

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:00pm, 4 April 2025

TLP Rating: Clear

CVE-2025-22457 affecting certain Ivanti products

CVE-2025-22457 is a critical buffer overflow vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Policy Secure and Neurons for ZTA gateways that could allow a remote attacker to achieve remote code execution. The NCSC is aware of public reporting of active exploitation against Ivanti Connect Secure and Pulse Connect Secure. 

What's happening

Systems affected

The vulnerability affects the following Ivanti products:

  • Ivanti Connect Secure versions 22.7R2.5 and earlier
  • Pulse Connect Secure versions 9.1x  
  • Policy Secure (all versions)
  • Neurons for ZTA gateways (all versions) 

What this means

Organisations using the affected product versions could be vulnerable to the CVE.

What to do

Prevention

Update to one of the vendor advised product versions.

More information

Vendor Advisory

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457 External Link

CVE

NVD - CVE-2025-22457 External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@ncsc.govt.nz.