CVE-2025-55148
Published: 09 September 2025
Summary
CVE-2025-55148 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.6 (High).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2025-55148 is a missing authorization vulnerability (CWE-862) affecting Ivanti Connect Secure before version 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. The flaw permits a remote authenticated attacker holding read-only administrator privileges to modify restricted configuration settings that should be inaccessible at that permission level. It carries a CVSS 3.1 base score of 7.6.
An attacker who already possesses a read-only admin account on an affected appliance can exploit the authorization gap over the network to alter settings normally reserved for higher-privileged roles, resulting in limited confidentiality and integrity impacts together with high availability impact.
The vendor advisory published by Ivanti recommends upgrading to the fixed releases (Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, and Neurons for Secure Access 22.8R1.4), noting that the remediation for Neurons for Secure Access was deployed on 2 August 2025.
EPSS for the CVE remains flat at 0.0278 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27286
Vulnerability details
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin…
more
privileges to configure restricted settings.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.