CVE-2025-55141
📛 CVE Title
CVE-2025-55141
Description
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 8.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Effective score
- 8.8 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-862 - Reserved
- 2025-08-07
- Published
- 2025-09-09 17:45 UTC
- Last updated
- 2026-02-26 18:49 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/55xxx/CVE-2025-55141.json
- Linked Threat
- CVE-2025-55141 — CVE-2025-55141
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-27284 - Assigner
- ivanti
- Published
- Sep 9, 2025, 3:45:52 PM
- Updated
- Feb 26, 2026, 5:49:02 PM
- EUVD base score (CVSS 3.1)
-
8.8 / 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 3.8400
- Vendors
- Ivanti
- Products
-
Neurons for Secure Access (patch: 22.8R1.4 (Fix deployed on 02-Aug-2025))ZTA Gateway (patch: 2.8R2.3-723)Connect Secure (patch: 22.8R2)Connect Secure (patch: 22.7R2.9)Policy Secure (patch: 22.7R1.6)
- Aliases
-
GHSA-xjmr-hvq4-xrmr
ENISA description: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
Affected products (4)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Connect Secure |
22.7R2.9 (unaffected),
22.8R2 (unaffected)
|
— |
| Ivanti | Policy Secure |
22.7R1.6 (unaffected)
|
— |
| Ivanti | ZTA Gateway |
2.8R2.3-723 (unaffected)
|
— |
| Ivanti | Neurons for Secure Access |
22.8R1.4 (Fix deployed on 02-Aug-2025) (unaffected)
|
— |
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:attack.mitre.org
This mitigation can be implemented through the following measures: Regular Operating System Updates Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance ...
2026-05-22 14:35 UTC -
web:blog.qualys.com
EVALUATE Vendor-Suggested Mitigation with Policy Audit With Qualys Policy Audit's Out-of-the-Box Mitigation or Compensatory Controls, reduce the risk of a vulnerability being exploited because the remediation ( fix / patch ) cannot be done now; these security controls are not recommended by any industry standards, such as CIS, DISA-STIG.
2026-05-22 14:35 UTC -
web:krebsonsecurity.com
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited ...
2026-05-22 14:35 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 14:35 UTC -
web:www.cisa.gov
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.
2026-05-22 14:35 UTC -
web:www.computerworld.com
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. The company's Patch Tuesday release for February ...
2026-05-22 14:35 UTC -
web:www.ninjaone.com
Catalog of Microsoft KB updates with insights on performance & user sentiment. Find out what's working, what's not, & make informed decisions.
2026-05-22 14:35 UTC -
web:www.oracle.com
This Critical Patch Update contains 374 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2025 Critical Patch Update: Executive Summary and Analysis.
2026-05-22 14:35 UTC -
web:www.rapid7.com
Microsoft is addressing 176 vulnerabilities this September 2025 Patch Tuesday, which is a lot. This includes a zero-day denial of service vulnerability in SQL Server.
2026-05-22 14:35 UTC -
web:www.tomshardware.com
Microsoft released security update KB5034441 on Patch Tuesday to fix a BitLocker encryption bypass vulnerability affecting Windows 10 users. However, some users are experiencing an update failure ...
2026-05-22 14:35 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- http://cwe.mitre.org/data/definitions/862.html rapid7:cwe.mitre.org
- https://attackerkb.com/topics/CVE-2025-55141 rapid7:attackerkb.com
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-27284 rapid7:euvd.enisa.europa.eu
- https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US rapid7:forums.ivanti.com
- https://www.cve.org/CVERecord?id=CVE-2025-55141 rapid7:www.cve.org
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-55141.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T03:56:13.077101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:02.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Connect Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R2.9"
},
{
"status": "unaffected",
"version": "22.8R2"
}
]
},
{
"defaultStatus": "affected",
"product": "Policy Secure",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.7R1.6"
}
]
},
{
"defaultStatus": "affected",
"product": "ZTA Gateway",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2.8R2.3-723"
}
]
},
{
"defaultStatus": "affected",
"product": "Neurons for Secure Access",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "22.8R1.4 (Fix deployed on 02-Aug-2025)"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<span style=\"background-color: rgb(255, 255, 255);\">Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.</span><br>"
}
],
"value": "Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T15:45:52.822Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-55141",
"datePublished": "2025-09-09T15:45:52.822Z",
"dateReserved": "2025-08-07T16:15:48.896Z",
"dateUpdated": "2026-02-26T17:49:02.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}