CVE-2025-55142
Published: 09 September 2025
Summary
CVE-2025-55142 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 11.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability is a missing authorization flaw, tracked as CWE-862, that affects Ivanti Connect Secure prior to versions 22.7R2.9 or 22.8R2, Ivanti Policy Secure prior to 22.7R1.6, Ivanti ZTA Gateway prior to 2.8R2.3-723, and Ivanti Neurons for Secure Access prior to 22.8R1.4. It carries a CVSS 3.1 score of 8.8 and permits unauthorized changes to authentication settings.
A remote authenticated attacker holding only read-only administrator privileges can exploit the issue over the network to modify authentication-related configuration, resulting in high impact to confidentiality, integrity, and availability.
The September Security Advisory published by Ivanti details the affected products and confirms that fixes have been deployed, including on 02-Aug-2025 for Ivanti Neurons for Secure Access. The associated EPSS score remains low, with a current value of 0.0384 and a peak of 0.0398.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27283
Vulnerability details
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin…
more
privileges to configure authentication related settings.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) allows low-privileged authenticated admin to modify auth settings, directly enabling privilege escalation (T1068) and modification of authentication mechanisms (T1556).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly preventing read-only admins from configuring authentication settings.
Applies least privilege to ensure read-only admin accounts cannot modify sensitive authentication configurations.
Restricts access to mechanisms for changing system configurations, such as authentication settings, beyond read-only privileges.