[Vulnerability Alert] Multiple Major Security Vulnerabilities Exist in Ivanti's Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access

• Subject: [Vulnerability Alert] Multiple Major Security Vulnerabilities Exist in Ivanti's Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access

• Content:
  • Forwarded from Taiwan Computer Network Emergency Response Team/Coordination Center TWCERTCC-200-202509-00000007
  • [CVE-2025-55141, CVSS: 8.8] This vulnerability, a lack of authorization mechanism, allows an authenticated attacker with read-only administrator privileges to modify authentication-related settings.
  • [CVE-2025-55142, CVSS: 8.8] This vulnerability, a lack of authorization mechanism, allows an authenticated attacker with read-only administrator privileges to modify authentication-related settings.
  • [CVE-2025-55145, CVSS: 8.9] This vulnerability, a lack of authorization mechanism, allows an authenticated remote attacker to hijack existing HTML5 connections.
  • [CVE-2025-55147, CVSS: 8.8] This vulnerability is a CSRF vulnerability that allows an authenticated remote attacker to perform sensitive operations as the victim user.
• Affected Platforms:
  • Ivanti Connect Secure versions prior to and including 22.7R2.8
  • Ivanti Policy Secure versions prior to and including 22.7R1.5
  • Ivanti ZTA Gateway versions prior to and including 2.8R2.2
  • Ivanti Neurons for Secure Access versions prior to and including 22.7R1.5
• Recommended Action:
  • Apply the solution released on the official website: https://forums.ivanti.com/s/article/KB-CVE-2025-55141-55142-55145-55147-multiple-vulnerabilities-in-Connect-Secure-Policy-Secure-and-ZTA-gateways
• References:
  • https://www.twcert.org.tw/tw/cp-169-10319-38eb7-1.html

Computer and Communications Center
Network Systems Group