CVE-2025-55141
Published: 09 September 2025
Summary
CVE-2025-55141 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Modify Authentication Process (T1556); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-55141 is a missing authorization vulnerability (CWE-862) present in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. The flaw permits unauthorized configuration changes to authentication settings despite the presence of access controls.
A remote authenticated attacker holding only read-only administrator privileges can exploit the issue over the network to modify authentication-related settings. Successful exploitation yields high impact to confidentiality, integrity, and availability, reflected in the CVSS 3.1 base score of 8.8.
The vendor advisory recommends applying the fixed releases, with the relevant patches deployed on 02-Aug-2025 for the listed products. The associated EPSS score remains low, with a current value of 0.0384 and a peak of 0.0398.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27284
Vulnerability details
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin…
more
privileges to configure authentication related settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on authentication configuration directly enables adversaries to modify authentication processes (T1556) to weaken mechanisms and facilitate further access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces least privilege by ensuring read-only admin accounts cannot modify authentication settings, directly preventing exploitation of missing authorization.
Restricts access to configuration changes, including authentication settings, to authorized users only, mitigating unauthorized modifications by read-only admins.
Requires enforcement mechanisms for approved authorizations, addressing the lack of checks that allowed read-only admins to configure authentication settings.