|
69216 | 69216 | "session_types": false, |
69217 | 69217 | "needs_cleanup": null |
69218 | 69218 | }, |
| 69219 | + "exploit_linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457": { |
| 69220 | + "name": "Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow", |
| 69221 | + "fullname": "exploit/linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457", |
| 69222 | + "aliases": [], |
| 69223 | + "rank": 500, |
| 69224 | + "disclosure_date": "2025-04-03", |
| 69225 | + "type": "exploit", |
| 69226 | + "author": [ |
| 69227 | + "Stephen Fewer", |
| 69228 | + "Christophe De La Fuente" |
| 69229 | + ], |
| 69230 | + "description": "This module exploits a Stack-based Buffer Overflow vulnerability in\n Ivanti Connect Secure to achieve remote code execution\n (CVE-2025-22457). Versions 22.7R2.5 and earlier are vulnerable. Note\n that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways\n are also vulnerable but this module doesn't support this software. Heap\n spray is used to place our payload in memory at a predetermined\n location. Due to ASLR, the base address of `libdsplibs` is unknown.\n This library is used by the exploit to build a ROP chain and get\n command execution. As a result, the module will brute force this\n address starting from the address set by the `LIBDSPLIBS_ADDRESS`\n option.", |
| 69231 | + "references": [ |
| 69232 | + "CVE-2025-22457", |
| 69233 | + "URL-https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457", |
| 69234 | + "URL-https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis", |
| 69235 | + "URL-https://github.com/sfewer-r7/CVE-2025-22457" |
| 69236 | + ], |
| 69237 | + "platform": "Linux", |
| 69238 | + "arch": "cmd", |
| 69239 | + "rport": 443, |
| 69240 | + "autofilter_ports": [ |
| 69241 | + 80, |
| 69242 | + 8080, |
| 69243 | + 443, |
| 69244 | + 8000, |
| 69245 | + 8888, |
| 69246 | + 8880, |
| 69247 | + 8008, |
| 69248 | + 3000, |
| 69249 | + 8443 |
| 69250 | + ], |
| 69251 | + "autofilter_services": [ |
| 69252 | + "http", |
| 69253 | + "https" |
| 69254 | + ], |
| 69255 | + "targets": [ |
| 69256 | + "Unix/Linux Command Shell" |
| 69257 | + ], |
| 69258 | + "mod_time": "2025-05-15 12:10:53 +0000", |
| 69259 | + "path": "/modules/exploits/linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457.rb", |
| 69260 | + "is_install_path": true, |
| 69261 | + "ref_name": "linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457", |
| 69262 | + "check": true, |
| 69263 | + "post_auth": false, |
| 69264 | + "default_credential": false, |
| 69265 | + "notes": { |
| 69266 | + "Stability": [ |
| 69267 | + "crash-service-restarts" |
| 69268 | + ], |
| 69269 | + "Reliability": [ |
| 69270 | + "repeatable-session" |
| 69271 | + ], |
| 69272 | + "SideEffects": [ |
| 69273 | + "ioc-in-logs" |
| 69274 | + ] |
| 69275 | + }, |
| 69276 | + "session_types": false, |
| 69277 | + "needs_cleanup": null |
| 69278 | + }, |
69219 | 69279 | "exploit_linux/http/ivanti_csa_unauth_rce_cve_2021_44529": { |
69220 | 69280 | "name": "Ivanti Cloud Services Appliance (CSA) Command Injection", |
69221 | 69281 | "fullname": "exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529", |
|
0 commit comments