Skip to content

securekomodo/CVE-2025-22457

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 

Repository files navigation

CVE-2025-22457

CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

image

This script helps identify Ivanti Connect Secure, Policy Secure, or ZTA Gateways that may be vulnerable to CVE-2025-22457, a critical unauthenticated stack-based buffer overflow in the web process triggered via a crafted X-Forwarded-For header. It can also identify the remote targets version based on scraping the version information from the HTTP response.

Inspired by early work to build a Nuclei template, this script was created after discovering that Nuclei could not handle cases where no response is received from the target, which is essential to reliably detect this issue.

📖 Background

Original research and disclosure:

Shodan Query: http.favicon.hash:-485487831

4,260 Results as of April 9, 2025

When the payload is successful, the target system logs: ERROR31093: Program web recently failed.

This can be used to build log-based detections in addition to the scan.

🔍 How It Works

The script sends a long X-Forwarded-For header to vulnerable .cgi endpoints. It supports two modes:

Quick Mode (default)

  • Fingerprints the target and grabs the version
  • Determines if vulnerable based on version only, no attempt at triggering buffer overflow.

Detailed Mode

  • Sends a pre-check request and expects HTTP 200.
  • Sends the crash payload and expects no response.
  • Sends a follow-up request to ensure the crash wasn’t incidental.
  • Only if all three steps behave as expected is the system marked as vulnerable.

🛠 Usage

Install requirements:

pip install requests

Scan a single target

python cve_2025_22457_check.py --target https://example.com

Use detailed mode

python cve_2025_22457_check.py --target https://example.com --mode detailed

Scan a list of targets from file

python cve_2025_22457_check.py --input targets.txt --mode detailed

Output results to a file

python cve_2025_22457_check.py --input targets.txt --mode detailed --output vulnerable.txt

📌 How It Works

The default path /dana-na/auth/url_default/welcome.cgi can be changed by Ivanti administrators and may result in false negatives.

A secondary hardcoded path /dana-na/setup/psaldownload.cgi is included, which cannot be modified and still triggers the vulnerability. Any .cgi endpoint appears potentially affected.

✅ Example Output

Pre-check successful (HTTP 200)
No response to payload (expected crash behavior).
Follow-up request returned HTTP 200. Crash condition verified.
VULNERABLE: https://example.com/dana-na/setup/psaldownload.cgi

About

CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages