Go hack some more Ivanti shit. Someone else already has been.

https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457?language=en_US

sev:CRIT 9.0 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2025-22457

Edit to add:

We are aware of a limited number of customers whose Ivanti Connect Secure (22.7R2.5 or earlier) and End-of-Support Pulse Connect Secure 9.1x appliances have been exploited at the time of disclosure. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024, and no longer receive code support or changes.

#ivanti #groundhogDay

@cR0w How can this company still exist?

@buherator That's so far down on questions I have at this point. 😆

@cR0w @buherator I wish a company that decided to rebuild their edge device code in Rust would be handsomely rewarded by the market, but I know that almost nobody actually cares about these vulns, and even fewer about true systemic fixes.

@mttaggart @buherator I would go so far as to say that there are too many people in the security industry that are incentivized to continue the status quo shitshow.

@mttaggart @cR0w I don't want unicorns, I just would like to see that shitty security QA has consequences on the market, regardless of technology.

@cR0w @mttaggart @buherator the first time i saw this was with fireeye, way way way back when. then sonicwalls, then some others, now its like, everybody who has php on a firewall with the one exception of pfsense, who i just never hear about, ever.

but yeah, this sentiment is absolutely dead on. way too many people who have no clue wtf theyre doing, and will scream gatekeeping at you over the mere suggestion they be 'even remotely qualified'

@buherator @mttaggart The consequences hit the customers. The vendors get the rewards.

@Viss @mttaggart @buherator FireEye? The security appliance running Apache as root? 😆

@cR0w @mttaggart @buherator imagine someone who was formerly a florist in an operating room during a neurosurgeons job, screaming gatekeeping at the head of medicine for the hospital because the head of medicine suggested that maybe the florist, i dunno, attend medical school? learn some stuff about surgery or medicine?

thats where we're at

@cR0w @mttaggart @buherator im not sure if 44con published the talk, but it was massive news at the time. some german researcher guy figured it out
- send one email through with a 7zip that uncompresses to absolute paths, have it overwrite the python script which parses a file format with python meterpreter
- send a second email through with an attachment for that fileformat (he used rtf). that will trigger the parser.

meterp rootshell on fireeye appliance via 2 emails

it was bananas

@cR0w @buherator I'm in agreement with you. Rust is just the only real game in town for memory-safe code at the moment. But it's not about that; as you said, it's about process. But yeah, there is zero incentive at all to improve. Nor will there be, especially as we lose the CSRB and CISA gets gutted even beyond its prior state of toothlessness.

@cR0w @mttaggart @buherator that musta been like.. 2014 maybe? i forget, but it blew my mind. i was in the room for the talk

@Viss @mttaggart @buherator I didn't see the talk but I read all about it.

@cR0w @mttaggart @buherator they made 'fuck fireeye' stickers for like 2 years afterwards

@mttaggart @buherator Yeah we know how unchecked capitalism impacts behavior. :-/

@Viss @cR0w @mttaggart @buherator As one of the resident medical school instructors, I'll also add that a lot of people that think they're heads of medicine are just three raccoons in a trench coat.

This analogy is getting weird.

@Viss @cR0w @mttaggart @buherator remember when they found it that they were using upx under the hood for sample analysis, and discovered its running as root? I also recall that at some point down the line, UPX had a buffer overflow vuln with crafted ELF files.

@buherator @cR0w @mttaggart there aren't any, basically. Fortinet is another one where they're shipping cheap by being, well, crap at security. But orgs will buy cheap.

@da_667 @cR0w @mttaggart @buherator yeah once that german dude showed people how to trivially get shells on the things, a buuuuunch of other folks dove in :D

@Viss @da_667 @cR0w @mttaggart FTR it was Felix Wilhelm (who then went to big G) and these seem to be the slides:

https://ernw.de/download/ERNW_44CON_PlayingWithFire_signed.pdf

@buherator @cR0w @da_667 @mttaggart yup, this was it :D - good times!

@da_667 @Viss @cR0w @mttaggart I don't remember UPX unpacker vulns in FE specifically, but this old P0 post is still a fun read:

https://googleprojectzero.blogspot.com/2016/06/how-to-compromise-enterprise-endpoint.html

Edit: it seems they needed a (rather trivial) privesc in case of FE, so give credit where it's due ;)

https://project-zero.issues.chromium.org/issues/42452189

@buherator @cR0w @mttaggart @Viss its entirely possible that I remembered wrong, but thank you

@cR0w @buherator @mttaggart But customers often don't really care either? Cost of doing business and stuff