PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability

A serious security flaw has been identified in Ivanti Connect Secure, designated as CVE-2025-0282, which enables remote unauthenticated attackers to execute arbitrary code.

As of January 8, 2025, Ivanti has acknowledged the existence of this stack-based buffer overflow vulnerability found in versions before 22.7R2.5.

 This vulnerability is particularly concerning due to its high attack vector stemming from network access, requiring no user interaction or special privileges to exploit.

Security analysts have rated the attacker value as Very High, with an exploitability assessment of High, emphasizing the urgent need for organizations using Ivanti Connect Secure to implement the provided patches and mitigations.

The Common Vulnerability Scoring System (CVSS) for this flaw stands at 9.0, signifying its critical nature.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Technical Analysis

On January 10, 2025, security firm watchTowr released a comprehensive analysis of CVE-2025-0282, detailing the mechanisms of exploitation, as per a report by AttackerKB.

The flaw affects the IF-T/TLS protocol handler within the HTTPS web server, which generally operates on TCP port 443.

Attackers can leverage this vulnerability to gain remote code execution (RCE) with non-root privileges, referred to in the exploit literature as the “nr” user.

The discovery of this exploit in the wild was first reported by Mandiant around mid-December 2024, with subsequent analyses confirming the potential for significant damage.

Notably, Ivanti issued a related patch addressing another vulnerability, CVE-2025-0283, which concerns local user privilege escalation. However, there are currently no reports of exploitation for this second vulnerability.

Exploitation Details

The exploitation process for CVE-2025-0282 relies on bypassing Address Space Layout Randomization (ASLR) by successfully guessing the base address of a relevant shared library.

In testing environments, attempts to exploit this vulnerability showed that an attacker could expect to take roughly 30 minutes to successfully guess the correct address, though this varies based on several factors, including network conditions and the specific hardware involved.

To demonstrate the exploit, a proof-of-concept (PoC) script has been released, named CVE-2025-0282.rb. This Ruby script can be utilized against vulnerable instances as follows:

C:\Users\sfewer\Desktop\CVE-2025-0282>ruby CVE-2025-0282.rb -t 192.168.86.111 -p 443

Example Execution

An example scenario illustrates the PoC in action. The script targets an Ivanti Connect Secure instance at IP address 192.168.86.111. Upon execution, the script will initiate a series of attempts to trigger the vulnerability:

[+] Targeting 192.168.86.111:443

[+] Detected version 22.7.2.3597

[2025-01-16 14:39:56 +0000] Starting...

After multiple iterations, successful execution is confirmed when a new file appears in the /var/tmp/ directory on the compromised device. For instance:

bash-4.2# ls -al /var/tmp/hax*

-rw-r--r-- 1 nr nr 0 Jan 16 07:10 /var/tmp/haxor_191

The release of a PoC exploit for CVE-2025-0282 underscores the urgent need for organizations employing Ivanti Connect Secure to apply the latest security updates.

Given the high potential for exploitation and the significant risk to sensitive data handled by the affected systems, immediate action is essential to safeguard against possible breaches.

Additionally, IT security teams must prioritize patching efforts and monitor their networks for any signs of attempted exploitation.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar