If no compromise is detected, conduct a factory reset with a clean image for cloud/virtual systems, apply patches per Ivanti’s advisory (Connect Secure 22.7R2.6; Policy Secure and ZTA Gateways patches due April 21 and 19), monitor authentication services, audit privileged accounts, and consider disconnecting vulnerable devices until patched. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-22457, a critical vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, to its Known Exploited Vulnerabilities (KEV) Catalog. If a compromise is confirmed, isolate affected devices, take forensic images or coordinate with Ivanti, perform a factory reset with a clean image, revoke and reissue certificates, keys, and passwords (including admin and API credentials), reset domain account passwords twice, revoke Kerberos tickets, disable cloud-joined devices, apply patches, and report to CISA at [email protected] or (888) 282-0870, and to Ivanti. Ivanti patched Connect Secure in version 22.7R2.6 on February 11, 2025, with patches for Policy Secure and ZTA Gateways due on April 21 and April 19, respectively. It impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, End-of-Support since December 31, 2024), Ivanti Policy Secure (versions 22.7R1.3 and prior), and ZTA Gateways (versions 22.8R2 and prior). CISA’s guidance and Ivanti’s updates offer a clear path to secure systems and prevent further exploitation in a challenging cyber landscape. With patches available for Connect Secure and forthcoming for other products, organizations must act quickly to mitigate risks from sophisticated actors like UNC5221.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 04 Apr 2025 22:20:12 +0000