Cyber Security News

PoC Exploit Released for Ivanti Connect Secure RCE Vulnerability

A serious security flaw has been identified in Ivanti Connect Secure, designated as CVE-2025-0282, which enables remote unauthenticated attackers to execute arbitrary code.

As of January 8, 2025, Ivanti has acknowledged the existence of this stack-based buffer overflow vulnerability found in versions before 22.7R2.5.

 This vulnerability is particularly concerning due to its high attack vector stemming from network access, requiring no user interaction or special privileges to exploit.

Security analysts have rated the attacker value as Very High, with an exploitability assessment of High, emphasizing the urgent need for organizations using Ivanti Connect Secure to implement the provided patches and mitigations.

The Common Vulnerability Scoring System (CVSS) for this flaw stands at 9.0, signifying its critical nature.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Technical Analysis

On January 10, 2025, security firm watchTowr released a comprehensive analysis of CVE-2025-0282, detailing the mechanisms of exploitation, as per a report by AttackerKB.

The flaw affects the IF-T/TLS protocol handler within the HTTPS web server, which generally operates on TCP port 443.

Attackers can leverage this vulnerability to gain remote code execution (RCE) with non-root privileges, referred to in the exploit literature as the “nr” user.

The discovery of this exploit in the wild was first reported by Mandiant around mid-December 2024, with subsequent analyses confirming the potential for significant damage.

Notably, Ivanti issued a related patch addressing another vulnerability, CVE-2025-0283, which concerns local user privilege escalation. However, there are currently no reports of exploitation for this second vulnerability.

Exploitation Details

The exploitation process for CVE-2025-0282 relies on bypassing Address Space Layout Randomization (ASLR) by successfully guessing the base address of a relevant shared library.

In testing environments, attempts to exploit this vulnerability showed that an attacker could expect to take roughly 30 minutes to successfully guess the correct address, though this varies based on several factors, including network conditions and the specific hardware involved.

To demonstrate the exploit, a proof-of-concept (PoC) script has been released, named CVE-2025-0282.rb. This Ruby script can be utilized against vulnerable instances as follows:

C:\Users\sfewer\Desktop\CVE-2025-0282>ruby CVE-2025-0282.rb -t 192.168.86.111 -p 443

Example Execution

An example scenario illustrates the PoC in action. The script targets an Ivanti Connect Secure instance at IP address 192.168.86.111. Upon execution, the script will initiate a series of attempts to trigger the vulnerability:

[+] Targeting 192.168.86.111:443

[+] Detected version 22.7.2.3597

[2025-01-16 14:39:56 +0000] Starting...

After multiple iterations, successful execution is confirmed when a new file appears in the /var/tmp/ directory on the compromised device. For instance:

bash-4.2# ls -al /var/tmp/hax*

-rw-r--r-- 1 nr nr 0 Jan 16 07:10 /var/tmp/haxor_191

The release of a PoC exploit for CVE-2025-0282 underscores the urgent need for organizations employing Ivanti Connect Secure to apply the latest security updates.

Given the high potential for exploitation and the significant risk to sensitive data handled by the affected systems, immediate action is essential to safeguard against possible breaches.

Additionally, IT security teams must prioritize patching efforts and monitor their networks for any signs of attempted exploitation.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all encrypted…

1 day ago

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning and…

2 days ago

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is transmitted…

2 days ago

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services (IIS)…

2 days ago

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques like…

2 days ago

New Scareware Attack Targeting Mobile Users to Deploy Malicious Antivirus Apps

A new wave of scareware attacks has emerged, targeting unsuspecting mobile users with fake antivirus…

2 days ago