Skip to content

securekomodo/CVE-2025-22457

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

18 Commits
CVE-2025-22457.py
CVE-2025-22457.py
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

CVE-2025-22457

CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

image

This script helps identify Ivanti Connect Secure, Policy Secure, or ZTA Gateways that may be vulnerable to CVE-2025-22457, a critical unauthenticated stack-based buffer overflow in the web process triggered via a crafted X-Forwarded-For header. It can also identify the remote targets version based on scraping the version information from the HTTP response.

Inspired by early work to build a Nuclei template, this script was created after discovering that Nuclei could not handle cases where no response is received from the target, which is essential to reliably detect this issue.

πŸ“– Background

Original research and disclosure:

Shodan Query: http.favicon.hash:-485487831

4,260 Results as of April 9, 2025

When the payload is successful, the target system logs: ERROR31093: Program web recently failed.

This can be used to build log-based detections in addition to the scan.

πŸ” How It Works

The script sends a long X-Forwarded-For header to vulnerable .cgi endpoints. It supports two modes:

Quick Mode (default)

  • Fingerprints the target and grabs the version
  • Determines if vulnerable based on version only, no attempt at triggering buffer overflow.

Detailed Mode

  • Sends a pre-check request and expects HTTP 200.
  • Sends the crash payload and expects no response.
  • Sends a follow-up request to ensure the crash wasn’t incidental.
  • Only if all three steps behave as expected is the system marked as vulnerable.

πŸ›  Usage

Install requirements:

pip install requests

Scan a single target

python cve_2025_22457_check.py --target https://example.com

Use detailed mode

python cve_2025_22457_check.py --target https://example.com --mode detailed

Scan a list of targets from file

python cve_2025_22457_check.py --input targets.txt --mode detailed

Output results to a file

python cve_2025_22457_check.py --input targets.txt --mode detailed --output vulnerable.txt

πŸ“Œ How It Works

The default path /dana-na/auth/url_default/welcome.cgi can be changed by Ivanti administrators and may result in false negatives.

A secondary hardcoded path /dana-na/setup/psaldownload.cgi is included, which cannot be modified and still triggers the vulnerability. Any .cgi endpoint appears potentially affected.

βœ… Example Output

Pre-check successful (HTTP 200)
No response to payload (expected crash behavior).
Follow-up request returned HTTP 200. Crash condition verified.
VULNERABLE: https://example.com/dana-na/setup/psaldownload.cgi

About

CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

Resources

Readme
Activity

Stars

18 stars

Watchers

1 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages