CVE-2025-8712: 
Ivanti Connect Secure vulnerability analysis and mitigation

CVE-2025-8712 is a missing authorization vulnerability affecting multiple Ivanti products including Ivanti Connect Secure (before 22.7R2.9 or 22.8R2), Ivanti Policy Secure (before 22.7R1.6), Ivanti ZTA Gateway (before 22.8R2.3-723) and Ivanti Neurons for Secure Access (before 22.8R1.4). The vulnerability was disclosed on September 9, 2025, with patches deployed on August 2, 2025 (NVD, CIS Advisory).

The vulnerability allows a remote authenticated attacker with read-only admin privileges to configure restricted settings. It has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

If exploited, this vulnerability allows an attacker with read-only admin privileges to bypass their restricted access and configure settings they should not have permission to modify. This could lead to unauthorized changes to system configurations and potential security control bypasses (CIS Advisory).

Ivanti has released patches for all affected products. Organizations should upgrade to the following versions: Ivanti Connect Secure 22.7R2.9 or 22.8R2, Ivanti Policy Secure 22.7R1.6, Ivanti ZTA Gateway 22.8R2.3-723, and Ivanti Neurons for Secure Access 22.8R1.4. The fixes were deployed on August 2, 2025 (NVD).