Skip to content

Over 5,000 Ivanti VPN appliances still at risk after patches

  • by
  • 2 min read

After Ivanti patched a critical vulnerability in its Connect Secure software suite, security researchers discovered more than 5,113 unpatched instances publicly accessible from the internet as of April 6, 2025.

The vulnerability is tracked as CVE-2025-22457, with a CVSS severity score of 9.0 out of 10. It affects Ivanti Connect Secure version 22.7R2.5 and earlier, Ivanti Policy Secure versions 22.7R1.3 and earlier, Pulse Connect Secure versions 9.1R18.9 and earlier, and ZTA Gateways versions 22.8R2 and earlier.

If exploited, it could be used to establish persistent backdoors on compromised devices, allowing hackers to get away with credential theft, data extraction, and even lateral network movement. At the time of writing, patches for all affected Ivanti products have either already been issued or will be available later in April 2025.

Ivanti also confirmed that it knows a “limited number of customers” targeted on their Connect Secure and Pulse Connect Secure endpoints. The exploit is also being used to deploy Trailblaze and Bushfire malware. The company claims no evidence suggests that Policy Secure or ZTA Gateways have been exploited in the wild.

Despite these warnings and the vulnerability being exploited in the wild, researchers at the Shadowserver Foundation have discovered more than 5,113 unpatched Ivanti Connect Secure and Pulse Secure endpoints accessible via the internet.

Most of the vulnerable instances observed by the researchers are older and out-of-service Pulse Connect Secure appliances that aren’t receiving any patches, having reached the end of support in December 2024. Users need to contact Ivanti for a version migration to a supported version of Connect Secure.

Reports of the exploited vulnerability in the wild have been public since March 2025, when cybersecurity firm Mandiant published a report documenting exploitation evidence. The threat actor highlighted in the report was UNC5221, a China-nexus hacking group that had likely studied Ivanti’s previous patches to devise new attack vectors.

In the News: Everest ransomware group’s Tor website down after defacement

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of facebook ads instagram 23898

Android users are getting bombarded with unskippable ads

Photo: in green / shutterstock. Com

High-severity Chrome flaw exploited in the wild patched

This is an image of hacked security illustration 11

Novel infostealer caught stealing browser data and crypto wallet extensions

This is an image of malware featured security

Malware targets 6 countries using fake invoice emails

This is an image of data breach featured cybersecurity 113 e1666861228304

M&S confirms data leak during cyberattack

Photo: arnav pratap singh / shutterstock. Com

UPI outage disrupts Indian payment systems

>