Skip to main content

CVE-2025-0282 Detection Script for Ivanti Connect Secure

· 3 min read
Ryan Achmad
Ryan Achmad
soc & sysadmin

CVE-2025-0282 Detection Script for Ivanti Connect Secure

This Python script is a Proof of Concept (PoC) tool designed to detect the presence of vulnerability CVE-2025-0282 in Ivanti Connect Secure appliances. The tool interacts with the Ivanti server over the IF-T/TLS protocol and determines whether the server is patched or remains vulnerable.

note

The Source code Here

How It Works

The script follows these main steps to assess vulnerability:

  1. Version Check The script starts by sending an HTTP request to a known endpoint (/dana-na/auth/url_admin/welcome.cgi?type=inter) on the Ivanti Connect Secure device. It extracts the product version from the server response using a regular expression:

    match = re.search(r'<PARAM NAME="ProductVersion"\s+VALUE="([0-9.]+)', resp.text)

    If the version matches a known vulnerable release (e.g., 22.7.2.*), the script proceeds to the next step. If the version is not affected, a message is displayed, and execution stops.

  2. IF-T/TLS Negotiation The script attempts to initiate an IF-T/TLS session with the server by sending an HTTP Upgrade request:

    req += b"Upgrade: IF-T/TLS 1.0\r\n"

    If the server supports IF-T/TLS, it responds with a 101 Switching Protocols status code. A TLS connection is established, and further communication is conducted over this secure channel.

  3. Sending and Receiving IF-T Messages The script sends specially crafted IF-T messages to the server, mimicking the process of EAP (Extensible Authentication Protocol) authentication. It then waits for the server’s response:

    payload = b"clientHostname=BishopFox"
    payload += b" clientIp=" + b"A" * 0x40

    Depending on the server's response:

    • If the server times out or sends no valid response, it is likely vulnerable.
    • If the server returns a specific error indicating validation failure, it is patched.

Usage

./scan-cve-2025-0282.py <SCHEME://HOST[:PORT]>
  • <SCHEME>: The protocol to use, typically https.
  • <HOST>: The IP address or hostname of the target.
  • <PORT>: (Optional) The port to connect to. If not specified, defaults to 443.

Examples

$ ./scan-cve-2025-0282.py https://192.168.50.208
https://192.168.50.208:443: Vulnerable

$ ./scan-cve-2025-0282.py https://192.168.50.135
https://192.168.50.135:443: Patched

$ ./scan-cve-2025-0282.py https://192.168.50.47
https://192.168.50.47:443: Version 9.1.12.6427 is not affected

To scan multiple targets in parallel:

  1. Create a file named targets.txt and add one target per line: 
    https://192.168.50.208
    https://192.168.50.135
    https://192.168.50.47
  2. Run the following command: 
    cat targets.txt | parallel -j 10 './scan-cve-2025-0282.py {}'

Output Interpretation

  • "Vulnerable": The target system is likely affected by CVE-2025-0282.
  • "Patched": The target system has been patched and is no longer vulnerable.
  • "Version X.X is not affected": The target system runs a version not susceptible to this vulnerability.

Requirements

  • Python 3.x
  • requests library
  • urllib3 library
  • parallel (for parallel scanning, optional)

Notes

Patched systems have stricter validation rules for the size of specific fields in the IF-T protocol. This tool detects a vulnerable system by observing whether the server times out or responds with an error.

Disclaimer

This tool is intended for educational purposes and authorized security assessments only. Unauthorized use of this tool against systems without prior permission may violate local, state, or federal law. Always ensure you have explicit permission before conducting any tests.