CVE-2025-55145
Published: 09 September 2025
Summary
CVE-2025-55145 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked in the top 35.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations for access to system resources, addressing the core missing authorization flaw that allows hijacking of HTML5 connections.
Protects the authenticity of communications sessions, preventing remote authenticated attackers from hijacking existing HTML5 connections.
Implements least privilege to restrict low-privileged authenticated users from performing unauthorized high-impact actions like HTML5 connection hijacking.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization directly enables hijacking of active HTML5-based remote access connections, facilitating browser session hijacking (T1185) and remote service session hijacking (T1563).
NVD Description
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing…
more
HTML5 connections.
Deeper analysisAI
CVE-2025-55145 is a missing authorization vulnerability (CWE-862) present in Ivanti Connect Secure prior to versions 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. This flaw enables a remote authenticated attacker to hijack existing HTML5 connections. The vulnerability carries a CVSS v3.1 base score of 8.9 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L) and was published on September 9, 2025.
A low-privileged authenticated attacker with network access can exploit this issue through a low-complexity attack that requires user interaction. Upon successful exploitation, the attacker can hijack active HTML5 connections, achieving high confidentiality and integrity impacts alongside low availability impact, exacerbated by the changed scope.
Ivanti's September security advisory details patches for this and related CVEs, recommending upgrades to Ivanti Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, and Neurons for Secure Access 22.8R1.4. A fix for Neurons for Secure Access was deployed on August 2, 2025. Full mitigation guidance is available at https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US.
Details
- CWE(s)