Cyber Resilience

CVE-2025-55145

High

Published: 09 September 2025

Published
09 September 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.0057 69.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55145 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 31.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-55145 is a missing authorization vulnerability (CWE-862) present in Ivanti Connect Secure prior to versions 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. This flaw enables a remote authenticated attacker to hijack existing HTML5 connections. The vulnerability carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) and was published on September 9, 2025.

A low-privileged authenticated attacker with network access can exploit this issue through a low-complexity attack that requires user interaction. Upon successful exploitation, the attacker can hijack active HTML5 connections, achieving high confidentiality and integrity impacts alongside low availability impact, exacerbated by the changed scope.

Ivanti's September security advisory details patches for this and related CVEs, recommending upgrades to Ivanti Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, and Neurons for Secure Access 22.8R1.4. A fix for Neurons for Secure Access was deployed on August 2, 2025. Full mitigation guidance is available at https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US.

EU & UK References

Vulnerability details

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing…

more

HTML5 connections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1563 Remote Service Session Hijacking Lateral Movement
Adversaries may take control of preexisting sessions with remote services to move laterally in an environment.
Why these techniques?

Missing authorization directly enables hijacking of active HTML5-based remote access connections, facilitating browser session hijacking (T1185) and remote service session hijacking (T1563).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-55141Same product: Ivanti Connect Secure
CVE-2025-55142Same product: Ivanti Connect Secure
CVE-2025-55147Same product: Ivanti Connect Secure
CVE-2024-10644Same product: Ivanti Connect Secure
CVE-2025-0283Same product: Ivanti Connect Secure
CVE-2025-0282Same product: Ivanti Connect Secure
CVE-2025-22467Same product: Ivanti Connect Secure
CVE-2025-8310Same vendor: Ivanti
CVE-2024-13172Same vendor: Ivanti
CVE-2024-13167Same vendor: Ivanti

Affected Assets

ivanti
neurons for secure access
22.8 · ≤ 22.8
ivanti
connect secure
22.7 · ≤ 22.7
ivanti
policy secure
22.7 · ≤ 22.7
ivanti
zero trust access gateway
22.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, addressing the core missing authorization flaw that allows hijacking of HTML5 connections.

prevent

Protects the authenticity of communications sessions, preventing remote authenticated attackers from hijacking existing HTML5 connections.

prevent

Implements least privilege to restrict low-privileged authenticated users from performing unauthorized high-impact actions like HTML5 connection hijacking.

References