img-banner

published há 22 dias

Dutch organizations vulnerable to unpatched Ivanti systems affected by the CVE-2025-22457 vulnerability

- Reported on April 08, 2025, the Netherlands has all kinds of organizations whose Ivanti systems contain an actively attacked vulnerability. This is according to The Shadowserver Foundation, which counted more than 5100 vulnerable systems worldwide. There are one hundred and forty of them in the Netherlands. The German government is also sounding the alarm and reports that 240 vulnerable Ivanti systems are active in the country. - The vulnerability (CVE-2025-22457) in Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateways could allow an unauthenticated attacker to remotely execute code on and compromise vulnerable systems. Ivanti Connect Secure, previously known as Pulse Connect Secure, is a VPN solution that allows users to access their organization's network. Pulse Connect Secure 9.1.x has been end-of-support since December 31 last year and no longer receives updates. - The impact of the vulnerability has been rated 9.0 on a scale of 1 to 10. The vulnerability was fixed on February 11, 2025, with the release of Ivanti Connect Secure 22.7R2.6, but was initially identified as a "product bug". The existence of the vulnerability was announced by Ivanti on April 3. No updates are available for Pulse Connect Secure. - The Shadowserver Foundation conducted an online scan for vulnerable Ivanti systems and counted 5113 unpatched instances. Of these, one hundred and forty are in the Netherlands and 244 in Germany. The Bundesamt fr Sicherheit in der Informationstechnik (BSI), part of the German Ministry of the Interior, says that a large part of it is end-of-support and will not receive patches. - Because of the attacks, the US government is advising organizations that work with Ivanti software to perform a factory reset. For all instances of Ivanti Connect Secure that were not patched with version 22.7R2.6 by February 28 this year, and for all instances of Pulse Connect Secure, Policy Secure, and ZTA Gateways, CISA recommends performing a factory reset for the highest level of confidence, regardless of whether research indicates that the system has been compromised or not. - Mandiant said that abuse of the vulnerability has been taking place since at least mid-March. The security company suspects that the attacker has examined the patch that was released on February 11 and discovered a way to use the vulnerability for remote code execution. Through the vulnerability, the attackers install backdoors on VPN servers.