Ivanti Connect Secure, Policy Secure, and ZTA Gateways Affected by Multiple Security Flaws

Ivanti has issued a September security advisory addressing eleven vulnerabilities in its Secure Access portfolio—Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access.

The flaws include six medium-severity and five high-severity issues, none of which are known to have been exploited in the wild at the time of disclosure.

Administrators are urged to apply available patches or mitigations immediately to safeguard remote access infrastructure.

High-Risk Authorization Bypass and CSRF Flaws

Among the most critical issues are multiple authorization bypass and cross-site request forgery (CSRF) vulnerabilities.

Four authorization bypass flaws (CVE-2025-55145, CVE-2025-55141, CVE-2025-55142, CVE-2025-55148) allow authenticated users with read-only or limited privileges to modify restricted or authentication-related settings, potentially enabling privilege escalation or persistent access.

CSRF weaknesses (CVE-2025-55111 and CVE-2025-55147) permit unauthenticated attackers to coerce victims into executing sensitive actions with minimal user interaction.

With CVSS scores reaching 8.9 and 8.8, these vulnerabilities pose a significant risk to organizations that expose management interfaces directly to the internet.

Denial of Service, SSRF, and Injection Issues

Ivanti also patched a denial-of-service flaw (CVE-2025-55146) exploitable by high-privilege attackers to crash services, and a server-side request forgery (SSRF) issue (CVE-2025-55139) enabling enumeration of internal infrastructure.

A reflected text injection bug (CVE-2025-55143) allows attackers to inject arbitrary content into HTTP responses when victims interact with crafted URLs.

Though rated medium-severity, these defects can facilitate broader attacks or reconnaissance against protected networks.

Affected Products and Versions

Product Name	Affected Version(s)	Resolved Version(s)	Patch Availability
Ivanti Connect Secure	22.7R2.8 and prior	22.7R2.9 or 22.8R2	Download via Ivanti Portal
Ivanti Policy Secure	22.7R1.4 and prior	22.7R1.5	Download via Ivanti Portal
ZTA Gateways	22.8R2.2	22.8R2.3-723	Available in controller since August 2, 2025
Neurons for Secure Access	22.8R1.3 and prior	22.8R1.4	Fix applied to cloud environments on August 2, 2025

Ivanti strongly recommends that customers update affected systems to the patched versions listed above.

For Neurons for Secure Access in cloud environments, no additional action is required.

As a mitigation, organizations should ensure administrative portals are not publicly accessible—limiting exposure aligns with Ivanti’s best practices and reduces risk for CVE-2025-8712, CVE-2025-55148, CVE-2025-55139, CVE-2025-55141, CVE-2025-55142, and CVE-2025-55144.

Ivanti thanks security researcher Nikolay Semov for reporting CVE-2025-55145 and collaborating on this advisory.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Ivanti Connect Secure, Policy Secure, and ZTA Gateways Affected by Multiple Security Flaws appeared first on Cyber Security News.