Ivanti Connect Secure CVE-2025-55145: Brief Summary of Missing Authorization in HTML5 Session Handling

A brief summary of CVE-2025-55145, a missing authorization vulnerability in Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. This post covers affected versions, technical mechanism, and vendor security history based on available information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

Ivanti Connect Secure CVE-2025-55145: Brief Summary of Missing Authorization in HTML5 Session Handling
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Session hijacking in enterprise remote access infrastructure can lead to unauthorized access to sensitive data and lateral movement within corporate networks. CVE-2025-55145 is a high-severity missing authorization vulnerability in Ivanti's Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access products, enabling remote authenticated attackers to hijack existing HTML5 sessions if left unpatched.

Ivanti is a major enterprise IT and security vendor, best known for its Connect Secure (formerly Pulse Secure) VPN and remote access solutions. The company serves thousands of organizations globally, including critical infrastructure, government, and Fortune 500 enterprises. Its product portfolio is widely deployed for secure remote access and endpoint management, making vulnerabilities in these platforms highly impactful across the industry.

Technical Information

CVE-2025-55145 is classified under CWE-862 (Missing Authorization). The vulnerability exists in the HTML5 connection handling logic of Ivanti's remote access products. After successful authentication, the server fails to enforce proper authorization checks for operations on existing HTML5 sessions. As a result, a remote authenticated attacker can hijack HTML5 connections established by other users. This can allow interception or manipulation of session data, depending on the attacker's privileges and network position.

The flaw is present in shared components across Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. It is triggered when an attacker with valid credentials interacts with HTML5 session management endpoints, which do not sufficiently validate whether the user is authorized to access or control the targeted session. No public exploit code or vulnerable code snippets are available. The vulnerability does not affect initial authentication but rather the authorization logic for ongoing session management.

Affected Systems and Versions

  • Ivanti Connect Secure: All versions before 22.7R2.9 or 22.8R2
  • Ivanti Policy Secure: All versions before 22.7R1.6
  • Ivanti ZTA Gateway: All versions before 2.8R2.3-723
  • Ivanti Neurons for Secure Access: All versions before 22.8R1.4

Cloud-based Neurons for Secure Access deployments received fixes automatically on August 2, 2025. On-premises deployments require manual updates to the specified versions or later.

Vendor Security History

Ivanti's remote access products have experienced multiple critical vulnerabilities in 2025. Notably, CVE-2025-22457 (a buffer overflow in Connect Secure) was silently patched before being recognized as a security issue, which led to active exploitation by advanced threat actors. Other vulnerabilities in 2025 include CVE-2025-4427 and CVE-2025-4428 in Endpoint Manager Mobile, which were also exploited in the wild. Ivanti has since improved its security advisory transparency and patch response, but recurring issues in shared components remain a concern.

References

Detect & fix
what others miss