Ivanti Connect Secure CSRF Vulnerability (CVE-2025-55147): Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-55147, a high-severity CSRF vulnerability affecting Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access prior to specific versions. Includes affected version details and vendor security history.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

Ivanti Connect Secure CSRF Vulnerability (CVE-2025-55147): Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can exploit a single click by an authenticated administrator to silently reconfigure VPN gateways or alter network access policies. In 2025, Ivanti's edge security appliances have become a high-value target for advanced threat actors, and CVE-2025-55147 adds another critical entry to the list of vulnerabilities affecting these products.

Ivanti is a global leader in enterprise remote access, VPN, and zero trust solutions, with a customer base spanning critical infrastructure, finance, healthcare, and government. Their Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access products are widely deployed as core components of organizational network security. The impact of vulnerabilities in these systems can be far-reaching, affecting thousands of organizations worldwide.

Technical Information

CVE-2025-55147 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352. The flaw affects the web-based administrative interfaces of Ivanti Connect Secure (prior to 22.7R2.9 or 22.8R2), Policy Secure (prior to 22.7R1.6), ZTA Gateway (prior to 2.8R2.3-723), and Neurons for Secure Access (prior to 22.8R1.4).

The vulnerability arises from insufficient CSRF protections. Specifically, the affected Ivanti products do not properly validate the origin of requests or require anti-CSRF tokens for sensitive actions. As a result, if an authenticated user (such as an administrator) is tricked into visiting a malicious website or clicking a crafted link, the attacker can cause the user's browser to submit forged requests to the Ivanti management interface. These requests are executed with the user's privileges, allowing attackers to perform sensitive operations such as changing configurations, modifying access policies, or potentially disabling security controls.

Exploitation requires user interaction, typically via social engineering. The attacker must convince a logged-in user to interact with malicious content (for example, via phishing email or malicious web page). The attack leverages the browser's automatic inclusion of authentication cookies or session tokens in cross-origin requests, bypassing authentication checks if CSRF protections are absent or insufficient.

No public code snippets, exploit scripts, or detailed PoC are available for this vulnerability. The root cause is the absence or improper implementation of anti-CSRF mechanisms in the affected Ivanti product versions.

Affected Systems and Versions

  • Ivanti Connect Secure: versions before 22.7R2.9 or 22.8R2
  • Ivanti Policy Secure: versions before 22.7R1.6
  • Ivanti ZTA Gateway: versions before 2.8R2.3-723
  • Ivanti Neurons for Secure Access: versions before 22.8R1.4

All configurations exposing the web-based management interface are potentially vulnerable if running the affected versions.

Vendor Security History

Ivanti has experienced a series of high-severity vulnerabilities in 2025, including CVE-2025-22457 (stack-based buffer overflow in Connect Secure, Policy Secure, and ZTA Gateway) and multiple issues in their Endpoint Manager Mobile products. These vulnerabilities have been actively exploited by advanced threat actors, including China-nexus espionage groups. Ivanti has generally issued patches and advisories promptly, but the recurrence of critical flaws in edge and access products highlights challenges in secure development and testing practices.

References

Detect & fix
what others miss