Rapid7 researchers have disclosed how attacks aimed at vulnerable Ivanti Connect Secure VPN instances impacted by the critical flaw, tracked as CVE-2025-22457, could result in remote code execution less than a week after a Chinese threat operation was observed by Mandiant to have leveraged the bug, according to SecurityWeek.
While the vulnerability which arises from an unchecked buffer overflow issue within Ivanti Connect Secure's HTTP(S) web server component could also be abused to facilitate software crashes, total RCE could be achieved by altering the length of the "X-Forwarded-For" header, said researchers, who noted that state-sponsored threat actors have the resources to reverse-engineer released software fixes. Organizations have been urged by both Rapid7 and Ivanti to evaluate web server crashes experienced by their Connect Secure instances. "This is due to how the exploit, in lieu of a suitable info leak to break ASLR, must rely upon brute forcing an address of a shared object library in the web server process. Every failed attempt to guess the correct address will result in the web server process crashing, and subsequently restarting," said Rapid7.
While the vulnerability which arises from an unchecked buffer overflow issue within Ivanti Connect Secure's HTTP(S) web server component could also be abused to facilitate software crashes, total RCE could be achieved by altering the length of the "X-Forwarded-For" header, said researchers, who noted that state-sponsored threat actors have the resources to reverse-engineer released software fixes. Organizations have been urged by both Rapid7 and Ivanti to evaluate web server crashes experienced by their Connect Secure instances. "This is due to how the exploit, in lieu of a suitable info leak to break ASLR, must rely upon brute forcing an address of a shared object library in the web server process. Every failed attempt to guess the correct address will result in the web server process crashing, and subsequently restarting," said Rapid7.
