CVE-2025-55145: 
Ivanti Connect Secure vulnerability analysis and mitigation

A missing authorization vulnerability (CVE-2025-55145) was discovered in multiple Ivanti products including Connect Secure before 22.7R2.9 or 22.8R2, Policy Secure before 22.7R1.6, ZTA Gateway before 2.8R2.3-723, and Neurons for Secure Access before 22.8R1.4. The vulnerability was disclosed on September 9, 2025, with fixes deployed on August 2, 2025 (NVD, GBHackers).

The vulnerability allows a remote authenticated attacker to hijack existing HTML5 connections. It has been assigned a CVSS v3.1 base score of 8.9 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L. The vulnerability is classified under CWE-862 (Missing Authorization) and requires user interaction for successful exploitation (NVD).

The vulnerability has high impact ratings for both confidentiality and integrity, with a low impact on availability. The scope is changed, indicating that the vulnerability can affect resources beyond its security scope (NVD).

Ivanti has released patches for all affected products. Users should upgrade Ivanti Connect Secure to version 22.7R2.9 or 22.8R2, Policy Secure to version 22.7R1.5, and ZTA Gateways to version 22.8R2.3-723. For Neurons for Secure Access, fixes were automatically applied in the cloud environment on August 2, 2025. Additionally, administrators are advised to avoid exposing administrative portals directly to the internet (GBHackers).

The vulnerability was responsibly disclosed by security researcher Nikolay Semov. Ivanti has acknowledged the finding and promptly released patches for all affected products (GBHackers).