Ivanti has issued a September security advisory addressing eleven vulnerabilities in its Secure Access portfolio—Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access.
The flaws include six medium-severity and five high-severity issues, none of which are known to have been exploited in the wild at the time of disclosure.
Administrators are urged to apply available patches or mitigations immediately to safeguard remote access infrastructure.
High-Risk Authorization Bypass and CSRF Flaws
Among the most critical issues are multiple authorization bypass and cross-site request forgery (CSRF) vulnerabilities.
Four authorization bypass flaws (CVE-2025-55145, CVE-2025-55141, CVE-2025-55142, CVE-2025-55148) allow authenticated users with read-only or limited privileges to modify restricted or authentication-related settings, potentially enabling privilege escalation or persistent access.
CSRF weaknesses (CVE-2025-55111 and CVE-2025-55147) permit unauthenticated attackers to coerce victims into executing sensitive actions with minimal user interaction.
With CVSS scores reaching 8.9 and 8.8, these vulnerabilities pose a significant risk to organizations that expose management interfaces directly to the internet.
Denial of Service, SSRF, and Injection Issues
Ivanti also patched a denial-of-service flaw (CVE-2025-55146) exploitable by high-privilege attackers to crash services, and a server-side request forgery (SSRF) issue (CVE-2025-55139) enabling enumeration of internal infrastructure.
A reflected text injection bug (CVE-2025-55143) allows attackers to inject arbitrary content into HTTP responses when victims interact with crafted URLs.
Though rated medium-severity, these defects can facilitate broader attacks or reconnaissance against protected networks.
Affected Products and Versions
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
|---|---|---|---|
| Ivanti Connect Secure | 22.7R2.8 and prior | 22.7R2.9 or 22.8R2 | Download via Ivanti Portal |
| Ivanti Policy Secure | 22.7R1.4 and prior | 22.7R1.5 | Download via Ivanti Portal |
| ZTA Gateways | 22.8R2.2 | 22.8R2.3-723 | Available in controller since August 2, 2025 |
| Neurons for Secure Access | 22.8R1.3 and prior | 22.8R1.4 | Fix applied to cloud environments on August 2, 2025 |
Ivanti strongly recommends that customers update affected systems to the patched versions listed above.
For Neurons for Secure Access in cloud environments, no additional action is required.
As a mitigation, organizations should ensure administrative portals are not publicly accessible—limiting exposure aligns with Ivanti’s best practices and reduces risk for CVE-2025-8712, CVE-2025-55148, CVE-2025-55139, CVE-2025-55141, CVE-2025-55142, and CVE-2025-55144.
Ivanti thanks security researcher Nikolay Semov for reporting CVE-2025-55145 and collaborating on this advisory.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaws include six medium-severity and five high-severity issues, none of which are known to have been exploited in the wild at the time of disclosure.){kind=link}