Cyber Resilience

CVE-2025-55148

High

Published: 09 September 2025

Published
09 September 2025
Modified
24 September 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0278 86.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55148 is a high-severity Missing Authorization (CWE-862) vulnerability in Ivanti Connect Secure. Its CVSS base score is 7.6 (High).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-55148 is a missing authorization vulnerability (CWE-862) affecting Ivanti Connect Secure before version 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. The flaw permits a remote authenticated attacker holding read-only administrator privileges to modify restricted configuration settings that should be inaccessible at that permission level. It carries a CVSS 3.1 base score of 7.6.

An attacker who already possesses a read-only admin account on an affected appliance can exploit the authorization gap over the network to alter settings normally reserved for higher-privileged roles, resulting in limited confidentiality and integrity impacts together with high availability impact.

The vendor advisory published by Ivanti recommends upgrading to the fixed releases (Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, and Neurons for Secure Access 22.8R1.4), noting that the remediation for Neurons for Secure Access was deployed on 2 August 2025.

EPSS for the CVE remains flat at 0.0278 with no material increase after disclosure.

EU & UK References

Vulnerability details

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin…

more

privileges to configure restricted settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
connect secure
22.7 · ≤ 22.7
ivanti
policy secure
22.7 · ≤ 22.7
ivanti
zero trust access gateway
22.8
ivanti
neurons for secure access
22.8 · ≤ 22.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

References