CVE-2025-55145
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-24
Assigner: ivanti
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | neurons_for_secure_access | to 22.8 (exc) |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | connect_secure | to 22.7 (exc) |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | policy_secure | to 22.7 (exc) |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | zero_trust_access_gateway | 22.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a missing authorization issue in certain versions of Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateway, and Ivanti Neurons for Secure Access. It allows a remote authenticated attacker to hijack existing HTML5 connections, meaning the attacker can take over active sessions without proper permission checks.
How can this vulnerability impact me? :
The vulnerability can lead to session hijacking by a remote authenticated attacker, potentially allowing them to gain unauthorized access to sensitive information or perform actions on behalf of legitimate users. This can result in data breaches, loss of confidentiality and integrity, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Ivanti Connect Secure to version 22.7R2.9 or later, Ivanti Policy Secure to 22.7R1.6 or later, Ivanti ZTA Gateway to 2.8R2.3-723 or later, and Ivanti Neurons for Secure Access to 22.8R1.4 or later, as the fix was deployed on 02-Aug-2025. Until updates are applied, restrict remote authenticated access to these services to trusted users only.