Ivanti on September 9 released a security advisory detailing six medium and five high severity vulnerabilities impacting Ivanti Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access.
No evidence of customer exploitation has surfaced so far. Patches and fixes are available immediately to address issues ranging from missing authorization checks and cross-site request forgery (CSRF) flaws to server-side request forgery (SSRF) and denial-of-service conditions.
Scope of Vulnerabilities
The advisory covers multiple components, including on-premise and cloud products.
Affected versions include Ivanti Connect Secure 22.7R2.8 and earlier, Policy Secure 22.7R1.4 and earlier, ZTA Gateways 22.8R2.2, and Neurons for Secure Access 22.8R1.3 and earlier.
Ivanti deployed fixes on August 2, 2025, for all products; cloud environments for Neurons for Secure Access were updated automatically.
| CVE Number | Description | CVSS Score | Severity |
| CVE-2025-8712 | Missing authorization allows remote authenticated read-only admin to change restricted settings. | 5.4 | Medium |
| CVE-2025-8711 | CSRF enables remote unauthenticated attacker to perform limited actions with victim interaction. | 5.4 | Medium |
| CVE-2025-55145 | Missing authorization allows remote authenticated attacker to hijack existing HTML5 connections. | 8.9 | High |
| CVE-2025-55146 | Unchecked return value enables remote authenticated admin to trigger denial of service. | 4.9 | Medium |
| CVE-2025-55147 | CSRF permits remote unauthenticated attacker to execute sensitive actions with user interaction. | 8.8 | High |
| CVE-2025-55148 | Missing authorization allows remote authenticated read-only admin to configure restricted settings. | 7.6 | High |
| CVE-2025-55139 | SSRF lets remote authenticated admin enumerate internal services. | 6.8 | Medium |
| CVE-2025-55141 | Missing authorization permits remote authenticated read-only admin to configure authentication. | 8.8 | High |
| CVE-2025-55142 | Missing authorization permits remote authenticated read-only admin to configure authentication. | 8.8 | High |
| CVE-2025-55143 | Reflected text injection allows remote unauthenticated attacker to inject arbitrary HTTP response. | 6.1 | Medium |
| CVE-2025-55144 | Missing authorization enables remote authenticated read-only admin to configure restricted settings. | 5.4 | Medium |
Mitigation and Recommendations
Patch Deployment:
- Ivanti Connect Secure: Update to 22.7R2.9 or 22.8R2 via the Ivanti download portal.
- Ivanti Policy Secure: Upgrade to 22.7R1.5 from the portal.
- ZTA Gateways: Download version 22.8R2.3-723 from the controller interface.
- Neurons for Secure Access: No customer action required; fixes auto-applied in cloud on August 2.
Customers should avoid exposing administrative portals directly to the internet. Restricting access via network controls aligns with Ivanti’s security guidance and industry best practices.
Ivanti thanks security researcher Nikolay Semov for reporting CVE-2025-55145. For details on Ivanti’s Vulnerability Disclosure Policy, visit the Ivanti support page.
Ensuring software components are up to date is critical. Administrators are urged to apply these patches immediately to maintain the integrity and security of remote access and zero-trust gateway deployments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
