漏洞平台

POC详情： 3b15e91d8a06ee852ce5640c1d547445fa117548

来源

https://github.com/securekomodo/CVE-2025-22457

关联漏洞

标题： Ivanti Connect Secure 安全漏洞 (CVE-2025-22457)
描述：Ivanti Connect Secure（ICS）是美国Ivanti公司的一款安全远程网络连接工具。 Ivanti Connect Secure存在安全漏洞，该漏洞源于栈缓冲区溢出，可能导致远程代码执行。

描述

CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

介绍

# CVE-2025-22457
CVE-2025-22457: Python Exploit POC Scanner to Detect Ivanti Connect Secure RCE

<img width="947" alt="image" src="https://github.com/user-attachments/assets/51b82d3e-cdb9-4587-918f-f6a4e2471eaf" />



This script helps identify Ivanti Connect Secure, Policy Secure, or ZTA Gateways that may be vulnerable to **CVE-2025-22457**, a critical unauthenticated stack-based buffer overflow in the web process triggered via a crafted `X-Forwarded-For` header. It can also identify the remote targets version based on scraping the version information from the HTTP response.

> Inspired by early work to build a [Nuclei template](https://github.com/projectdiscovery/nuclei-templates/pull/11895), this script was created after discovering that Nuclei could not handle cases where **no response is received from the target**, which is essential to reliably detect this issue.

## 📖 Background

Original research and disclosure:
- [watchTowr Labs Blog](https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457)

- [Redline Blog](www.redlinecybersecurity.com/blog/cve-2025-22457-python-scanner-to-detect-ivanti-connect-secure-rce)

Shodan Query: `http.favicon.hash:-485487831`

*4,260 Results as of April 9, 2025*


When the payload is successful, the target system logs:
`ERROR31093: Program web recently failed.`


This can be used to build log-based detections in addition to the scan.

## 🔍 How It Works

The script sends a long `X-Forwarded-For` header to vulnerable `.cgi` endpoints. It supports two modes:

### Quick Mode (default)
- Fingerprints the target and grabs the version
- Determines if vulnerable based on version only, no attempt at triggering buffer overflow.

### Detailed Mode
- Sends a pre-check request and expects HTTP 200.
- Sends the crash payload and expects **no response**.
- Sends a follow-up request to ensure the crash wasn’t incidental.
- Only if all three steps behave as expected is the system marked as **vulnerable**.

## 🛠 Usage

Install requirements:
```bash
pip install requests
```

### Scan a single target
```bash
python cve_2025_22457_check.py --target https://example.com
```

### Use detailed mode
```bash
python cve_2025_22457_check.py --target https://example.com --mode detailed
```

### Scan a list of targets from file
```bash
python cve_2025_22457_check.py --input targets.txt --mode detailed
```

### Output results to a file
```bash
python cve_2025_22457_check.py --input targets.txt --mode detailed --output vulnerable.txt
```

## 📌 How It Works
The default path `/dana-na/auth/url_default/welcome.cgi` **can be changed** by Ivanti administrators and may result in false negatives.

A secondary hardcoded path `/dana-na/setup/psaldownload.cgi` is included, which **cannot be modified** and still triggers the vulnerability. Any `.cgi` endpoint appears potentially affected.

## ✅ Example Output
```bash
Pre-check successful (HTTP 200)
No response to payload (expected crash behavior).
Follow-up request returned HTTP 200. Crash condition verified.
VULNERABLE: https://example.com/dana-na/setup/psaldownload.cgi
```

文件快照


 [4.0K]  /data/pocs/3b15e91d8a06ee852ce5640c1d547445fa117548
├── [7.8K]  CVE-2025-22457.py
└── [3.1K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。