Unauthenticated RCE in Ivanti Connect Secure, Policy Secure, and ZTA Gateways

This repository contains a working exploit for CVE-2025-22457, a critical unauthenticated remote code execution vulnerability affecting Ivanti Connect Secure, Policy Secure, ZTA Gateways, and Pulse Connect Secure appliances. The exploit is implemented in Ruby (CVE-2025-22457.rb) and is accompanied by a detailed README.md explaining affected versions, exploitation steps, and mitigation advice. The exploit works by sending crafted HTTP/HTTPS requests to the target's web interface, fingerprinting the product version, and then performing a heap spray and buffer overflow attack against the /home/bin/web process, leveraging ROP gadgets in /home/lib/libdsplibs.so. The attacker must provide their own IP and port for the reverse shell payload, which is a standard bash reverse shell. The exploit brute-forces the base address of the target library unless provided directly, and can be tuned for the number of web child processes on the appliance. The code is operational and provides a real reverse shell if successful, but requires the attacker to have network access to the target's HTTPS port and to set up a listener. The exploit is not part of a framework and is a standalone PoC with a customizable payload. The endpoints targeted are the Ivanti web interface and specific internal files/processes on the appliance.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-22457, a remote unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways (version 22.7r2.4). The main exploit is implemented in Ruby (CVE-2025-22457-main/CVE-2025-22457.rb) and leverages a network-based attack vector over HTTPS. The exploit works by brute-forcing the base address of a shared library (libdsplibs.so) and performing heap spraying to ensure reliable exploitation across multiple web child processes. Upon successful exploitation, the script executes a user-supplied payload (default: a bash reverse shell) on the target, granting remote shell access as the 'nr' user. The repository includes detailed usage instructions, debugging tips, and information about the target environment. No detection scripts or fake code are present; this is a functional PoC exploit.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-22457, a remote unauthenticated stack-based buffer overflow in Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateway appliances (specifically version 22.7.2.3597). The exploit is implemented in Ruby (CVE-2025-22457.rb) and is designed to achieve remote code execution by sending crafted HTTPS requests to the target's web interface. The exploit brute-forces the base address of a shared library (libdsplibs.so) to construct a ROP chain, ultimately executing a user-supplied shell command (by default, a bash reverse shell). The attacker must provide the target's IP, port, and their own listener IP/port. The exploit includes options to tune the number of web child processes and the base address for more efficient exploitation. The ReadMe.md provides detailed usage instructions, expected results (reverse shell as 'nr' user), and technical background. The main attack vector is network-based, targeting the HTTPS service on the appliance. Notable endpoints include the version fingerprinting CGI and the use of internal binaries and libraries for exploitation.