Without even knowing the details of the exploit, can we make some guesses about the feasibility of such attacks?

The vulnerability is a stack buffer overflow. What are the chances of being able to successfully exploit such bugs without needing to chain with a second bug? You know, since ASLR has been around on the Linux platform for about 20 years now.

Let's look at just the binaries in /home/bin on a recent Ivanti ICS device.
11 out of 241 executables have PIE enabled, and therefore are randomized with ASLR.

A job done, folks.

As we're pondering software excellence, let's look at how you can tell if your device is compromised.

You ask it, and hope it doesn't lie to you.

Sure, you "can" identify a bank robber by asking them if they robbed a bank. And if they're really bad at what they do, they might say yes.

The Ivanti ICT is the same concept. You ask your maybe-compromised device to pretty please run a scanner, and then tell you the results. This is the official company-sanctioned (and only official) way of checking the integrity of your ICS product.

More info from Mandiant:
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

I'll say that Ivanti customers are lucky that the attackers aren't trying very hard here. Mandiant admits that the attackers are *already* attempting (poorly) to bypass the ICT. But they did such a bad job that their faked ICT results had only 3 steps instead of 10.

It's trivial to modify an ICS so that the ICT fakes the 10 steps of the ICT, without including the rickroll step of 11.

It's only safe to assume here that only the the B Team of Ivanti attackers were detected anywhere. And that anybody with a touch more skills are still in your boxes if you're only relying on the ICT as Ivanti recommends running it for detection of badness. But I suppose that's the case with just about anything... you only notice the folks that are bad enough to get caught. 🤦‍♂️

As per usual, watchTowr has an excellent writeup on the vulnerability.
https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/

As they mention, the clear thing that has changed is the web binary, which indeed is ASLR'd via PIE.

If "web" is the process that's being exploited, we should be protected with ASLR, right? Well, sorta.

First, let's look at the most recent builds (22.7R2.4 or R2.5) of ICS. As it turns out, they are getting better with enabling PIE. It's now over 50% of the executables in /home/bin. My prior screenshot was from a 22.6 version of the appliance. Baby steps?

While the ICS has a 64-bit kernel (that is over 6 years old), this web server binary (as well as every other binary in /home/bin) is 32-bit. What does this mean for ASLR? Well, by my calculation, that gets us about 9 bits of entropy. Which, depending on what the exploit does, could be able to be brute forced.

There's no use of pesky stack canaries either, so Ivanti has made it easier for those looking to exploit stack buffer overflows.

Since this vulnerability is being successfully exploited in the wild, it probably is worth knowing if your system has been compromised, right?

A compromised box can easily fake (internal AND external) ICT results, and it can also fake the factory reset process as well. So is all hope lost?

Well, in the vast sea of bits on VirusTotal, apparently some good samaritan has uploaded a bootable ISO that can both decrypt an Ivanti ICS filesystem, as well as run the stand-alone ICT in a way that is truly stand-alone. i.e. it doesn't rely on your maybe-compromised running system not lying to you.

With some brief testing, it seems to work. And perhaps can be trustable as much as you trust a computer to boot from the media you specify.
https://www.virustotal.com/gui/file/2d76293e1639152e4871fba67cb5bdb010e444a3cd66bdf943503c48bba412c0/details

Using a 1-line change of the BishopFox PoC for CVE-2025-0282, we can easily see the vulnerable Ivanti web server crash.
https://github.com/BishopFox/CVE-2025-0282-check

Given that there's no stack canary, and there's only 9 bits of ASLR entropy, we can probably successfully brute force a successful exploit if we want to.

@mcksysar
I used the python PoC from BishopFox and just added 1 line to get it to crash:
payload += b" clientCapabilities=" + b"A" * 1000
You can do something similar with the Rapid7 PoC, but I had to do a couple of tweaks to get that to work (outlined earlier in my thread here). There's nothing else that needs to be done. Just negotiating the IF-T TLS with a large clientCapabilities value is enough to trigger it.

You should see the "web" binary crash in dmesg output. R2.3 as well.

To get to R2.4 I installed an update PKG, as I couldn't find an R2.4 VM. I suspect Ivanti didn't build one for that version.