CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

This script helps identify Ivanti Connect Secure, Policy Secure, or ZTA Gateways that may be vulnerable to CVE-2025-22457, a critical unauthenticated stack-based buffer overflow in the web process triggered via a crafted X-Forwarded-For
header. It can also identify the remote targets version based on scraping the version information from the HTTP response.
Inspired by early work to build a Nuclei template, this script was created after discovering that Nuclei could not handle cases where no response is received from the target, which is essential to reliably detect this issue.
Original research and disclosure:
Shodan Query: http.favicon.hash:-485487831
4,260 Results as of April 9, 2025
When the payload is successful, the target system logs:
ERROR31093: Program web recently failed.
This can be used to build log-based detections in addition to the scan.
The script sends a long X-Forwarded-For
header to vulnerable .cgi
endpoints. It supports two modes:
- Fingerprints the target and grabs the version
- Determines if vulnerable based on version only, no attempt at triggering buffer overflow.
- Sends a pre-check request and expects HTTP 200.
- Sends the crash payload and expects no response.
- Sends a follow-up request to ensure the crash wasn’t incidental.
- Only if all three steps behave as expected is the system marked as vulnerable.
Install requirements:
pip install requests
python cve_2025_22457_check.py --target https://example.com
python cve_2025_22457_check.py --target https://example.com --mode detailed
python cve_2025_22457_check.py --input targets.txt --mode detailed
python cve_2025_22457_check.py --input targets.txt --mode detailed --output vulnerable.txt
The default path /dana-na/auth/url_default/welcome.cgi
can be changed by Ivanti administrators and may result in false negatives.
A secondary hardcoded path /dana-na/setup/psaldownload.cgi
is included, which cannot be modified and still triggers the vulnerability. Any .cgi
endpoint appears potentially affected.
Pre-check successful (HTTP 200)
No response to payload (expected crash behavior).
Follow-up request returned HTTP 200. Crash condition verified.
VULNERABLE: https://example.com/dana-na/setup/psaldownload.cgi