CVE-2025-0282 | Ivanti | RCE
| Vulnerability | CVE-2025-0282 |
|---|---|
| Type | Stack-Based Buffer Overflow Leading to Remote Code Execution (RCE) |
| Description | CVE-2025-0282 is a critical stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. It allows unauthenticated remote attackers to execute arbitrary code on affected systems. The flaw resides in the handling of specific TLS connections, particularly within the /home/bin/web binary responsible for processing incoming HTTP and VPN requests. Exploitation can lead to full system compromise. |
| The Impact of the Bug | Successful exploitation grants attackers the ability to execute arbitrary commands with elevated privileges, potentially leading to full control over the affected device. This vulnerability has been actively exploited in the wild, notably in attacks against organizations in Japan, where threat actors deployed web shells and the DslogdRAT malware. The malware establishes persistent access, communicates with command-and-control servers, and can perform actions such as file uploads/downloads, command execution, and proxy operations. |
| How to detect if you have a vulnerable application to this attack vector? | 1. Identify Affected Versions: - Ivanti Connect Secure versions before 22.7R2.5 - Ivanti Policy Secure versions before 22.7R1.2 - Ivanti Neurons for ZTA gateways before 22.7R2.3 2. Use Ivanti’s Integrity Checker Tool (ICT): - Run the ICT to detect signs of compromise or unauthorized modifications. 3. Monitor for Indicators of Compromise (IoCs): - Presence of unusual Perl CGI scripts, especially in /home/webserver/htdocs/dana-na/cc/ccupdate.cgi- Connections to known malicious IP addresses, such as 3.112.192[.]119- Unexpected processes or network activities during off-hours, which may indicate DslogdRAT activity. 4. Analyze System Logs: - Look for anomalies or errors in system and application logs that could suggest exploitation attempts. 5. Utilize Available PoC Exploits for Testing: - Refer to the following repositories for proof-of-concept exploits: - https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit - https://github.com/watchtowrlabs/CVE-2025-0282 |
| References | - NVD CVE-2025-0282 - Ivanti Security Advisory - CISA Mitigation Instructions - The Hacker News Report - WatchTowr Labs Exploitation Walkthrough - GitHub PoC by absholi7ly |