Unauthenticated RCE in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateway

Repository contains a Python exploit script and a PHP web shell targeting CVE-2025-0282 (Ivanti Connect Secure/Policy Secure/Neurons for ZTA gateways). Structure: (1) CVE-2025-0282.py is the main entry point; it crafts a stack-based buffer overflow payload using hard-coded addresses (system_address=0x0804a360, command_address=0x0804b008) and sends it via a raw TLS socket to TCP/443, issuing an HTTP POST to /dana-na/auth/url_default/welcome.cgi. After attempting RCE, it uploads a persistent web shell by echoing the contents of a local PHP file to /shell.php, then verifies and uses the shell for interactive command execution. The script also includes post-exploitation/defense-evasion routines: toggling SELinux, editing /etc/rsyslog.conf and restarting rsyslog to reduce forwarding, remounting / as RW/RO, attempting to remove log lines from /var/log/*, and disabling apt-daily updates. (2) shell.php is a simple command-execution web shell (uses shell_exec) intended to be dropped on the target. (3) README.md describes the vulnerability and basic usage. Overall purpose: unauthenticated network-based RCE attempt leading to web-shell deployment and follow-on command execution on the appliance.

This repository contains a functional exploit for CVE-2025-0282, a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The main exploit script (CVE-2025-0282.py) is written in Python and targets the vulnerable endpoint '/dana-na/auth/url_default/welcome.cgi' over HTTPS (port 443). It crafts a payload to exploit the buffer overflow, allowing arbitrary command execution. The script's primary function is to upload a PHP web shell (shell.php) to the target system, enabling persistent remote command execution via HTTP requests. Additional post-exploitation features include disabling SELinux, preventing syslog forwarding, remounting drives, removing exploit traces from logs, and disabling system updates. The repository structure is straightforward: the Python exploit script, a PHP web shell, and a README.md with usage instructions and vulnerability details. The exploit is operational and provides a web shell payload, making it a significant threat if used against unpatched systems.

This repository contains an exploit for CVE-2025-0282 targeting Ivanti products (likely Connect Secure or similar). The main exploit script, 'CVE_2025_0282_Ivanti.py', is a Python program that performs a buffer overflow attack against the '/dana-na/auth/url_default/welcome.cgi' endpoint over HTTPS (port 443). The exploit crafts a payload to execute arbitrary commands on the target, specifically to upload a PHP web shell ('shell.php') to the root directory of the web server. Once the shell is uploaded, the script verifies its accessibility and allows the attacker to execute further commands via HTTP POST requests to '/shell.php'. The script also includes functions (some commented out) to disable SELinux, prevent syslog forwarding, remount the filesystem, and remove log entries, indicating post-exploitation capabilities. The repository structure is straightforward: the main Python exploit, a simple PHP web shell, and a brief README. The exploit is operational, providing a working web shell and interactive command execution on vulnerable targets.

This repository contains a Python proof-of-concept exploit for CVE-2025-0282, a critical remote unauthenticated stack buffer overflow in Ivanti Connect Secure (version 22.7.2.3597/22.7r2.4). The exploit script (CVE-2025-0282.py) targets a vulnerable Ivanti VPN gateway over the network (typically port 443), detects the product version, and if compatible, sends a specially crafted payload using a ROP chain to achieve remote code execution. The payload creates a new root-level admin user ('admin'/'password') by appending entries to /etc/passwd and /etc/shadow. The exploit is operational and requires the target to be running the specific vulnerable version. The repository also includes a README.md with usage instructions and background information.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-0282, a remote unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. The main exploit file, 'CVE-2025-0282.rb', is a Ruby script that targets Ivanti Connect Secure version 22.7r2.4 (product version 22.7.2.3597). The exploit works by sending crafted network packets over HTTPS (typically port 443) to the target device, leveraging a ROP chain to achieve remote code execution as the non-root user 'nr'. Upon successful exploitation, the script creates a file in '/var/tmp/' on the target system, with the filename indicating the attempt number, to demonstrate code execution. The exploit requires the attacker to specify the target IP and port. The repository also includes a detailed README explaining the vulnerability, exploitation process, and usage instructions. No weaponized or post-exploitation payloads are included; the exploit is strictly a PoC for demonstrating code execution.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-0282, a pre-authentication remote code execution vulnerability in the Ivanti Connect Secure (formerly Pulse Secure) VPN appliance. The exploit is based on a modified version of the openconnect VPN client, with additional code to trigger the stack overflow in the IFT TLS stack. The repository is structured as a full source tree for openconnect, with the exploit logic integrated into the main client code (notably in main.c and array.c). The PoC operates in two modes: 'normal' (to verify connectivity and authentication) and 'exploit' (to trigger the vulnerability). The exploit requires manual adjustment of hardcoded addresses and offsets to match the target environment, and is not fully weaponized. The attack vector is network-based, targeting the VPN's HTTPS service on port 443. The repository also includes build scripts, Java JNI bindings, and documentation, but the core exploit logic is in C. No fake or destructive code was identified; the PoC is a legitimate exploit requiring technical adaptation for operational use.

This repository contains a Python-based proof-of-concept exploit for CVE-2025-0282, a critical remote code execution vulnerability in a network appliance exposing the /dana-na/auth/url_default/welcome.cgi endpoint. The exploit (exploit.py) is designed to send a crafted POST request to this endpoint, triggering a buffer overflow and enabling arbitrary code execution via a ROP chain and shellcode. The payload is generated using msfvenom or OpenAI, and the exploit attempts to establish a reverse shell connection to the attacker's machine (default 127.0.0.1:4444). Results of successful exploitation are stored in a local MongoDB database. The README.md provides detailed usage instructions, prerequisites, and technical background. The exploit is a POC and requires several dependencies, including OpenAI API access and MongoDB. The repository structure is simple, with one main exploit script and a comprehensive README. The full code is not included; only partial code and instructions are provided, with the full version available upon request from the author.

This repository provides a working exploit for CVE-2025-0282, a critical remote command execution (RCE) vulnerability in Ivanti Connect Secure. The main exploit script, 'CVE_2025_0282_Ivanti.py', is a Python tool that leverages a buffer overflow in the '/dana-na/auth/url_default/welcome.cgi' endpoint over HTTPS (port 443) to execute arbitrary commands on the target system. The exploit first uploads a PHP web shell ('shell.php') to the root directory of the target, then provides an interactive interface for the attacker to execute further commands via the web shell. Additional post-exploitation features include disabling SELinux, preventing syslog forwarding, remounting the filesystem as read-write, removing exploit traces from logs, and disabling system updates. The repository contains five files: the main Python exploit, a PHP web shell, a README with usage instructions, a LICENSE, and a .gitignore. The exploit is operational, providing a real payload and post-exploitation capabilities, and targets Ivanti Connect Secure appliances vulnerable to CVE-2025-0282.