A critical vulnerability, CVE-2025-22467, in Ivanti Connect Secure (ICS) devices has left approximately 2,850 instances worldwide unpatched and vulnerable to remote code execution (RCE) attacks.
This flaw, with a CVSS score of 9.9, is categorized as a stack-based buffer overflow and affects ICS versions prior to 22.7R2.6.
Shadowserver Foundation’s latest scans reveal the United States (852 devices) and Japan (384 devices) as the most affected regions.
Overview of CVE-2025-22467
The flaw (CVE-2025-22467) arises from improper handling of user input, enabling authenticated attackers to execute arbitrary code remotely.
If exploited, this could lead to full system compromise, jeopardizing sensitive data and critical operations. The vulnerability is particularly dangerous because it requires only low attack complexity and limited privileges for exploitation.
While no active exploits have been publicly reported, the potential for abuse remains high given the vulnerability’s severity.
Shadowserver’s daily assessments reveal a significant prevalence of vulnerable devices across various nations. In the United States, there are 852 identified vulnerable devices. Japan is reported to have 384 vulnerable devices, while China has 129. Additional countries affected include Canada, with 84 vulnerable devices; Australia, with 27; and India, with 29, among others.
We started scanning & reporting out Ivanti Connect Secure CVE-2025-22467 vulnerable (unpatched) instances in our daily feeds. ~2850 IP seen unpatched worldwide in our daily scans.
Top affected: US (852) & Japan (384)
Dashboard world map view: https://t.co/Da4ekpkJbG pic.twitter.com/AQJZC0bmHr
— The Shadowserver Foundation (@Shadowserver) February 25, 2025
The prevalence of unpatched systems underscores a critical lag in applying Ivanti’s security updates. This delay exposes organizations to cyberattacks, including espionage and ransomware campaigns.
Ivanti has released patches addressing CVE-2025-22467 in ICS version 22.7R2.6.
Administrators are urged to:
- Update all ICS installations to the latest version immediately.
- Monitor systems for signs of compromise.
- Implement robust access controls and network segmentation to limit potential exploitation.
The cybersecurity landscape has seen sophisticated threat actors repeatedly target ICS appliances.
In recent months, vulnerabilities like CVE-2025-0282 have been exploited to implant malware such as SPAWNCHIMERA, further emphasizing the urgency of proactive patch management.
Shadowserver’s findings highlight the need for global coordination in vulnerability disclosure and remediation efforts. Their reports provide actionable intelligence to help organizations identify and secure exposed systems.
With over 33,000 ICS instances publicly exposed online, attackers have a window of opportunity unless immediate action is taken.
Organizations must prioritize patching and adopt a zero-trust approach to mitigate risks associated with these critical vulnerabilities.
