CVE-2025-55142
📛 CVE Title
CVE-2025-55142
Description
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 8.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Effective score
- 8.8 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-862 - Reserved
- 2025-08-07
- Published
- 2025-09-09 17:49 UTC
- Last updated
- 2026-02-26 18:49 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/55xxx/CVE-2025-55142.json
- Linked Threat
- CVE-2025-55142 — CVE-2025-55142
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-27283 - Assigner
- ivanti
- Published
- Sep 9, 2025, 3:49:20 PM
- Updated
- Feb 26, 2026, 5:49:02 PM
- EUVD base score (CVSS 3.1)
-
8.8 / 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 3.8400
- Vendors
- Ivanti
- Products
-
ZTA Gateway (patch: 2.8R2.3-723)Policy Secure (patch: 22.7R1.6)Connect Secure (patch: 22.8R2)Neurons for Secure Access (patch: 22.8R1.4 (Fix deployed on 02-Aug-2025))Connect Secure (patch: 22.7R2.9)
- Aliases
-
GHSA-77hg-rfpf-5ghc
ENISA description: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
Affected products (4)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Connect Secure |
22.7R2.9 (unaffected),
22.8R2 (unaffected)
|
— |
| Ivanti | Policy Secure |
22.7R1.6 (unaffected)
|
— |
| Ivanti | ZTA Gateway |
2.8R2.3-723 (unaffected)
|
— |
| Ivanti | Neurons for Secure Access |
22.8R1.4 (Fix deployed on 02-Aug-2025) (unaffected)
|
— |
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:attackerkb.com
Description Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 ( Fix deployed on 02-Aug- 2025 ) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
2026-05-22 14:35 UTC -
web:github.com
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 ( Fix deployed on 02-Aug- 2025 ) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
2026-05-22 14:35 UTC -
web:learn.microsoft.com
Microsoft December 2025 Security Updates This release consists of the following 57 Microsoft CVEs : Tag CVE Base Score CVSS Vector Exploitability FAQs? Workarounds? Mitigations ? Windows PowerShell CVE - 2025 -54100 Windows Projected File System…
2026-05-22 14:35 UTC -
web:nvd.nist.gov
Information Technology Laboratory National Vulnerability Database Vulnerabilities
2026-05-22 14:35 UTC -
web:www.bleepingcomputer.com
Microsoft has released out-of-band (OOB) updates to fix issues affecting Windows Server systems after installing the April 2026 security updates.
2026-05-22 14:35 UTC -
web:www.cisa.gov
Updated October 29, 2025 : CISA has updated this Alert to include revised information on vulnerable product identification, potential threat activity detections, and additional resources. Microsoft released an update to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025 ), CVE - 2025 -59287
2026-05-22 14:35 UTC -
web:www.cve.org
At cve .org, we provide the authoritative reference method for publicly known information-security vulnerabilities and exposures
2026-05-22 14:35 UTC -
web:www.oracle.com
Critical Security Patch Updates Critical Security Patch Updates provide security patches for supported Oracle on-premises products. A Critical Security Patch Update provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption.
2026-05-22 14:35 UTC -
web:www.tenable.com
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 ( Fix deployed on 02-Aug- 2025 ) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
2026-05-22 14:35 UTC -
web:zeropath.com
A brief summary of CVE-2025-55142 , a high-severity authorization bypass in Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. This post covers affected versions, technical details, and vendor security history based on available public sources.
2026-05-22 14:35 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- http://cwe.mitre.org/data/definitions/862.html rapid7:cwe.mitre.org
- https://attackerkb.com/topics/CVE-2025-55142 rapid7:attackerkb.com
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-27283 rapid7:euvd.enisa.europa.eu
- https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US rapid7:forums.ivanti.com
- https://www.cve.org/CVERecord?id=CVE-2025-55142 rapid7:www.cve.org
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-55142.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T03:56:13.875022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:02.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Connect Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R2.9"
},
{
"status": "unaffected",
"version": "22.8R2"
}
]
},
{
"defaultStatus": "affected",
"product": "Policy Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R1.6"
}
]
},
{
"defaultStatus": "affected",
"product": "ZTA Gateway",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2.8R2.3-723"
}
]
},
{
"defaultStatus": "affected",
"product": "Neurons for Secure Access",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.8R1.4 (Fix deployed on 02-Aug-2025)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<span style=\"background-color: rgb(242, 242, 242);\">Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.</span><br>"
}
],
"value": "Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T15:49:20.192Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-55142",
"datePublished": "2025-09-09T15:49:20.192Z",
"dateReserved": "2025-08-07T16:15:48.896Z",
"dateUpdated": "2026-02-26T17:49:02.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}