CVE-2025-8711: 
Ivanti Connect Secure vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in multiple Ivanti products including Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4. The vulnerability was disclosed on September 9, 2025, with fixes deployed on August 2, 2025 (NVD, CIS Advisory).

The vulnerability allows a remote unauthenticated attacker to execute limited actions on behalf of the victim user, with user interaction being required. The CVSS v3.1 base score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) (NVD).

If successfully exploited, this vulnerability allows an attacker to perform limited actions with the privileges of a victim user. The attack requires user interaction and can potentially lead to unauthorized actions being executed on the affected systems (GBHackers).

Ivanti has released patches to address this vulnerability. Users should upgrade Ivanti Connect Secure to version 22.7R2.9 or 22.8R2, Ivanti Policy Secure to version 22.7R1.6, ZTA Gateway to version 2.8R2.3-723, and Neurons for Secure Access to version 22.8R1.4. For cloud-based Neurons for Secure Access installations, fixes were automatically applied on August 2, 2025 (GBHackers).