Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-22457 PoC — Ivanti Connect Secure 安全漏洞

Source
https://github.com/Vinylrider/ivantiunlocker
Associated Vulnerability
Title:Ivanti Connect Secure 安全漏洞 (CVE-2025-22457)
Description:Ivanti Connect Secure(ICS)是美国Ivanti公司的一款安全远程网络连接工具。 Ivanti Connect Secure存在安全漏洞,该漏洞源于栈缓冲区溢出,可能导致远程代码执行。
Description
Prevent CVE-2025-22457 and other security problems with Juniper/Ivanti Secure Connect SSL VPN
Readme
# ivantiunlocker
Prevent CVE-2025-22457 and other security problems with Juniper/Ivanti Secure Connect SSL VPN

Many security issues around SSL VPN devices recently. You can't feel safe anymore. And then there is CVE-2025-22457 !
Read the story behind it : https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/
POST / HTTP/1.1
X-Forwarded-For: 1111111111111111111111111111111...
will open the door to your appliance !

See working exploit : https://github.com/sfewer-r7/CVE-2025-22457

As we have PSA3000 and there is no firmware update available for fixing this problem it is obvious that Ivanti wants to push you to buy
new devices like ISA6000 for 10.000 USD+. I guess you buy that and then the next security issues will happen anyway.

But we found a way to get out of the hamster wheel. You need to have a network gate in front of the SSL VPN appliance by solid firewall rules.
You can do this the hard way with an additional OpenVPN or wireshark server. Or you can do it in a soft manner which is more comfortable for your visitors.
Our approach is easy to implement, easy to use and highly efficient because it prevents any attacker from even detecting you or having possibility to connect to the
appliance.

The gateway is a simple python written webserver (listens on HTTPS port 443 instead of SSL VPN) which presents the visitor a password entry box. When correct passwort
is entered then the visitor's IP gets FORWARD/PREROUTING firewall entries and he then can immediately access the SSL VPN device with same URL/port.

<img src="./Example-Password-entry.png">

This is just one possible approach. You also could have user/password combinations, a pin pad, user certificates, use 2FA Authelia, etc...
But in the end you need to handle it by firewall rules because SSL VPN devices don't like it if you terminate SSL/TLS elsewhere.
Also only this way you can hide from attackers completely which prevents any future CVE security breach problem.
File Snapshot

 [4.0K]  /data/pocs/e335e79d62d8587ee91c612fef1c846479d761a6
├── [9.5K]  Example-Password-entry.png
├── [2.0K]  README.md
└── [9.0K]  unlock_web.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.