CVE-2025-55146: 
Ivanti Connect Secure vulnerability analysis and mitigation

An unchecked return value vulnerability (CVE-2025-55146) was discovered in multiple Ivanti products including Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4. The vulnerability was disclosed on September 9, 2025, with fixes deployed on August 2, 2025 (CIS Advisory, NVD).

The vulnerability stems from an unchecked return value in affected Ivanti products that could be exploited by a remote authenticated attacker with admin privileges. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H. This indicates network accessibility, low attack complexity, high privileges required, no user interaction needed, and high impact on availability (AttackerKB).

If successfully exploited, this vulnerability allows a remote authenticated attacker with admin privileges to trigger a denial of service condition in the affected systems. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (GBHackers).

Ivanti has released patches to address this vulnerability. Organizations should upgrade to the following versions: Ivanti Connect Secure to version 22.7R2.9 or 22.8R2, Ivanti Policy Secure to version 22.7R1.6, Ivanti ZTA Gateway to version 2.8R2.3-723, and Ivanti Neurons for Secure Access to version 22.8R1.4. For cloud environments, fixes were automatically deployed on August 2, 2025 (GBHackers).