** The following has been updated to make clear the vulnerability was fully patched in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025). 

At Ivanti, our mission is to empower customers to defend their environments in an evolving and increasingly sophisticated threat landscape. This includes providing industry-leading products, transparent communication, and sophisticated tools to help to protect and fortify networks. Central to this mission is a culture of transparency and responsiveness, especially when facing a security issue. This is essential for the health and security of the entire industry and the organizations we serve.

To this end, we are issuing an important security update addressing a vulnerability in Pulse Connect Secure (version 9.1x, which reached end-of-support December 31, 2024), Ivanti Connect Secure (version 22.7R2.5 and earlier), Policy Secure and Neurons for ZTA gateways. We are reporting the vulnerability as CVE-2025-22457.

Customers have a significantly reduced risk from this vulnerability if they are running appliances on supported versions and in accordance with Ivanti's guidance:

  • This vulnerability was fully patched in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025).
  • Ivanti Policy Secure should not be an internet facing solution. Users that follow Ivanti’s guidance regarding internet exposure are at a reduced risk from this vulnerability.
  • Neurons for ZTA gateways cannot be exploited when in production.

We are aware of a limited number of customers whose appliances have been exploited and are running Ivanti Connect Secure 22.7R2.5 or earlier or Pulse Connect Secure 9.1x. At the time of this disclosure, we are not aware of any exploitation of this vulnerability in Ivanti Policy Secure or Neurons for ZTA gateways, which have meaningfully reduced risk from this vulnerability.

Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receives code support or changes. Customers who have not yet migrated from this solution will need to contact Ivanti for a migration path to Ivanti Connect Secure or migrate to another secure solution to ensure their security. Ivanti always encourages customers to remain on the latest version of software so they can benefit from important security and product enhancements.

We have made additional resources and support teams available to assist customers in implementing the patch and addressing any concerns. More information is available in this Security Advisory on the vulnerability and the nature of the threat so that customers can protect their environment.

Thank you to our customers and security partners for their engagement and support, which enabled our swift detection and response to this issue. We remain committed to continuously improving our products and processes through collaboration and transparency with our stakeholders and the broader security ecosystem.

Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).

Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.