Last week, watchTowr Labs published an excellent breakdown of CVE-2025-22457 — a stack-based buffer overflow in Ivanti Connect Secure that can lead to unauthenticated remote code execution via a long X-Forwarded-For header.
To support defenders and the security research community, we've released a simple Python script to help test systems safely for this issue, confirm whether the vulnerability is exploitable, and identify what logging artifacts are generated if exploitation is attempted.
Why Not Just Use Nuclei?
This effort originally started with the idea of building a Nuclei template, but during testing, it became clear that Nuclei doesn’t currently support handling conditions where no HTTP response is received at all (such as when the web process crashes). Since that’s the exact behavior needed to confirm this vulnerability, Nuclei was not the best tool in this case.
Testing Without Taking Systems Offline
The script operates in two modes:
- Quick Mode sends the crash payload and checks for a response. If no response is received, the target may be vulnerable.
- Detailed Mode ensures the server is initially responsive, sends the crash payload, and then verifies again the server is operational. This helps confirm a real crash occurred and rules out false positives due to transient issues.
This allows safe detection in production environments while minimizing impact.
What to Look for in Logs
If the target is vulnerable and the payload is sent, Ivanti Connect Secure systems will log the following message:
ERROR31093: Program web recently failed.
Organizations should monitor for this log entry as a potential indicator of attempted exploitation and alert on any detection of that log until they have mitigated/patched.
A Note on Path Handling
While /dana-na/auth/url_default/welcome.cgi is a common path used in detection, it can be modified by administrators. Relying solely on it may lead to false negatives.
Instead, the script also checks /dana-na/setup/psaldownload.cgi, which appears to be a reliable alternative — this .cgi endpoint cannot be altered via configuration and still triggers the vulnerability. Any .cgi processed by the Ivanti web service appears to be affected.
Get the Script
The full script is available https://github.com/securekomodo/CVE-2025-22457 and supports scanning single or multiple targets with optional output to file. It is designed to be straightforward and functional — no dependencies beyond Python's requests library.
This script is released with the goal of enabling defenders and detection engineers to safely scan their environments, validate patch coverage, and build reliable detections for this vulnerability.
Big thanks again to the research team at watchTowr for their clear and thorough disclosure.
