Safely detect if an Ivanti server is vulnerable to CVE-2025-0282.
./scan-cve-2025-0282.py <SCHEME://HOST[:PORT]>
If you don't specify the port, it will default to 443.
$ ./scan-cve-2025-0282.py https://192.168.50.208
https://192.168.50.208:443: Vulnerable
$ ./scan-cve-2025-0282.py https://192.168.50.135
https://192.168.50.135:443: Patched
$ ./scan-cve-2025-0282.py https://192.168.50.47
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
Use parallel to scan multiple targets in one go. Put each target on a separate line and save it to targets.txt, then run the following (-j controls how many threads are run in parallel):
$ cat targets.txt | parallel -j 10 './scan-cve-2025-0282.py {}'
https://192.168.50.208:443: Vulnerable
https://192.168.50.135:443: Patched
https://192.168.50.47:443: Version 9.1.12.6427 is not affected
Patched systems restrict the size of multiple fields in the clientInfo string, even though CVE-2025-0282 can only be triggered through clientCapabilties. As a result, we can just look for an error response when validation fails on a patched system. Patched systems return an ERROR, and unpatched systems will timeout waiting for the client to perform EAP authentication.