Safely detect if an Ivanti server is vulnerable to CVE-2025-0282# CVE-2025-0282-check
Safely detect if an Ivanti server is vulnerable to CVE-2025-0282. Refer to our [blog post](https://bishopfox.com/blog/analysis-and-scanner-for-ivanti-cve-2025-0282) for more details.
## Usage
```
./scan-cve-2025-0282.py <SCHEME://HOST[:PORT]>
```
If you don't specify the port, it will default to 443.
```
$ ./scan-cve-2025-0282.py https://192.168.50.208
https://192.168.50.208:443: Vulnerable
$ ./scan-cve-2025-0282.py https://192.168.50.135
https://192.168.50.135:443: Patched
$ ./scan-cve-2025-0282.py https://192.168.50.47
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
```
Use `parallel` to scan multiple targets in one go. Put each target on a separate line and save it to `targets.txt`, then run the following (`-j` controls how many threads are run in parallel):
```
$ cat targets.txt | parallel -j 10 './scan-cve-2025-0282.py {}'
https://192.168.50.208:443: Vulnerable
https://192.168.50.135:443: Patched
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
```
## How it works
Patched systems restrict the size of multiple fields in the clientInfo string, even though CVE-2025-0282 can only be triggered through clientCapabilties. As a result, we can just look for an error response when validation fails on a patched system. Patched systems return an ERROR, and unpatched systems will timeout waiting for the client to perform EAP authentication.
[4.0K] /data/pocs/4effed4b1f566cf3540a6e401394061cf03a1667
├── [ 34K] LICENSE
├── [1.4K] README.md
└── [3.6K] scan-cve-2025-0282.py
0 directories, 3 files