CVE-2025-8711
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-24
Assigner: ivanti
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | connect_secure | to 22.7 (exc) |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | connect_secure | 22.7 |
| ivanti | policy_secure | to 22.7 (exc) |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | policy_secure | 22.7 |
| ivanti | zero_trust_access_gateway | 22.8 |
| ivanti | neurons_for_secure_access | to 22.8 (exc) |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
| ivanti | neurons_for_secure_access | 22.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker could perform limited unauthorized actions as if they were the victim user, potentially leading to information disclosure or unauthorized changes. However, the impact is limited and requires user interaction.
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) issue in certain versions of Ivanti products. It allows a remote unauthenticated attacker to execute limited actions on behalf of a victim user, but requires the victim to interact (such as clicking a link).
What immediate steps should I take to mitigate this vulnerability?
Apply the fix deployed on 02-Aug-2025 by updating Ivanti Connect Secure to version 22.7R2.9 or 22.8R2, Ivanti Policy Secure to version 22.7R1.6 or later, Ivanti ZTA Gateway to version 2.8R2.3-723 or later, and Ivanti Neurons for Secure Access to version 22.8R1.4 or later. Additionally, educate users about the risk of CSRF attacks and the need for caution with unsolicited links or actions requiring user interaction.