module
Ivanti Connect Secure Unauthenticated Remote Code Execution via Stack-based Buffer Overflow
| Disclosed | Created |
|---|---|
| Apr 3, 2025 | May 15, 2025 |
Disclosed
Apr 3, 2025
Created
May 15, 2025
Description
This module exploits a Stack-based Buffer Overflow vulnerability in
Ivanti Connect Secure to achieve remote code execution
(CVE-2025-22457). Versions 22.7R2.5 and earlier are vulnerable. Note
that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways
are also vulnerable but this module doesn't support this software. Heap
spray is used to place our payload in memory at a predetermined
location. Due to ASLR, the base address of `libdsplibs` is unknown.
This library is used by the exploit to build a ROP chain and get
command execution. As a result, the module will brute force this
address starting from the address set by the `LIBDSPLIBS_ADDRESS`
option.
Ivanti Connect Secure to achieve remote code execution
(CVE-2025-22457). Versions 22.7R2.5 and earlier are vulnerable. Note
that Ivanti Pulse Connect Secure, Ivanti Policy Secure and ZTA gateways
are also vulnerable but this module doesn't support this software. Heap
spray is used to place our payload in memory at a predetermined
location. Due to ASLR, the base address of `libdsplibs` is unknown.
This library is used by the exploit to build a ROP chain and get
command execution. As a result, the module will brute force this
address starting from the address set by the `LIBDSPLIBS_ADDRESS`
option.
Authors
Stephen Fewer
Christophe De La Fuente
Christophe De La Fuente
Platform
Linux
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.