CVE-2025-5466
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-12
Last updated on: 2025-09-23
Assigner: ivanti
Description
Description
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | policy_secure | to 22.7 (exc) |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | connect_secure | to 22.7 (exc) |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | zero_trust_access_gateway | 22.8 |
| ivanti | neurons_for_secure_access | to 22.8 (exc) |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-776 | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML External Entity (XEE) issue in several Ivanti products before specific versions. It allows a remote authenticated attacker with admin privileges to cause a denial of service.
How can this vulnerability impact me? :
An attacker with admin privileges can exploit this vulnerability to trigger a denial of service, potentially disrupting the availability of the affected Ivanti products.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70