漏洞平台

POC详情： e335e79d62d8587ee91c612fef1c846479d761a6

来源

https://github.com/Vinylrider/ivantiunlocker

关联漏洞

标题： Ivanti Connect Secure 安全漏洞 (CVE-2025-22457)
描述：Ivanti Connect Secure（ICS）是美国Ivanti公司的一款安全远程网络连接工具。 Ivanti Connect Secure存在安全漏洞，该漏洞源于栈缓冲区溢出，可能导致远程代码执行。

描述

Prevent CVE-2025-22457 and other security problems with Juniper/Ivanti Secure Connect SSL VPN

介绍

# ivantiunlocker
Prevent CVE-2025-22457 and other security problems with Juniper/Ivanti Secure Connect SSL VPN

Many security issues around SSL VPN devices recently. You can't feel safe anymore. And then there is CVE-2025-22457 !
Read the story behind it : https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/
POST / HTTP/1.1
X-Forwarded-For: 1111111111111111111111111111111...
will open the door to your appliance !

See working exploit : https://github.com/sfewer-r7/CVE-2025-22457

As we have PSA3000 and there is no firmware update available for fixing this problem it is obvious that Ivanti wants to push you to buy
new devices like ISA6000 for 10.000 USD+. I guess you buy that and then the next security issues will happen anyway.

But we found a way to get out of the hamster wheel. You need to have a network gate in front of the SSL VPN appliance by solid firewall rules.
You can do this the hard way with an additional OpenVPN or wireshark server. Or you can do it in a soft manner which is more comfortable for your visitors.
Our approach is easy to implement, easy to use and highly efficient because it prevents any attacker from even detecting you or having possibility to connect to the
appliance.

The gateway is a simple python written webserver (listens on HTTPS port 443 instead of SSL VPN) which presents the visitor a password entry box. When correct passwort
is entered then the visitor's IP gets FORWARD/PREROUTING firewall entries and he then can immediately access the SSL VPN device with same URL/port.

<img src="./Example-Password-entry.png">

This is just one possible approach. You also could have user/password combinations, a pin pad, user certificates, use 2FA Authelia, etc...
But in the end you need to handle it by firewall rules because SSL VPN devices don't like it if you terminate SSL/TLS elsewhere.
Also only this way you can hide from attackers completely which prevents any future CVE security breach problem.

文件快照


 [4.0K]  /data/pocs/e335e79d62d8587ee91c612fef1c846479d761a6
├── [9.5K]  Example-Password-entry.png
├── [2.0K]  README.md
└── [9.0K]  unlock_web.py

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。