Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55141

CVE-2025-55141: Ivanti Connect Secure Auth Bypass Flaw

CVE-2025-55141 is an authentication bypass flaw in Ivanti Connect Secure that allows read-only admins to modify authentication settings. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-55141 Overview

CVE-2025-55141 is a missing authorization vulnerability [CWE-862] affecting Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateway, and Ivanti Neurons for Secure Access. The flaw allows a remote authenticated attacker with read-only administrator privileges to modify authentication-related settings they should not be able to access. Successful exploitation undermines the authentication trust boundary across Ivanti's secure access product line.

Critical Impact

A read-only administrator can escalate their effective privileges by reconfiguring authentication settings, compromising confidentiality, integrity, and availability of the secure access gateway.

Affected Products

  • Ivanti Connect Secure before 22.7R2.9 and 22.8R2
  • Ivanti Policy Secure before 22.7R1.6 and Ivanti ZTA Gateway before 2.8R2.3-723
  • Ivanti Neurons for Secure Access before 22.8R1.4 (fix deployed 02-Aug-2025)

Discovery Timeline

  • 2025-09-09 - CVE-2025-55141 published to the National Vulnerability Database (NVD)
  • 2025-09-24 - Last updated in the NVD database

Technical Details for CVE-2025-55141

Vulnerability Analysis

The vulnerability stems from missing authorization checks on authentication configuration endpoints within Ivanti's secure access products. Read-only administrator accounts, which should be restricted to viewing configuration data, can issue requests that change authentication-related settings. The server-side authorization layer fails to verify that the calling administrator holds the privilege required to mutate these settings.

Because the affected products mediate remote access for users into corporate networks, manipulation of authentication settings can be used to weaken trust controls. An attacker who already holds read-only credentials, such as a help-desk operator or auditor account, can leverage this gap to influence how users and administrators authenticate to the appliance. The attack is performed over the network and requires no user interaction.

Root Cause

The root cause is an authorization control gap in the management interface. The application authenticates the session but does not consistently enforce the role-based access control (RBAC) policy on write operations for authentication-related configuration. This is a classic instance of [CWE-862: Missing Authorization].

Attack Vector

Exploitation requires valid read-only administrator credentials and network reachability to the management interface. The attacker sends crafted configuration requests that bypass the missing RBAC enforcement, modifying authentication settings such as identity providers, certificate validation, or sign-in policies. No exploit code or proof-of-concept is publicly available, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog.

No verified exploitation code is available. See the Ivanti September Security Advisory for vendor technical details.

Detection Methods for CVE-2025-55141

Indicators of Compromise

  • Authentication configuration changes performed by accounts assigned the read-only administrator role.
  • Unexpected modifications to identity provider, SAML, RADIUS, or certificate authentication settings on the appliance.
  • Administrative API or web UI requests from read-only sessions that return success on configuration mutation endpoints.

Detection Strategies

  • Compare appliance configuration snapshots over time and alert on deltas in authentication-related sections.
  • Correlate management interface audit logs with the role of the acting administrator to surface privilege-role mismatches.
  • Hunt for read-only administrator sessions issuing HTTP POST, PUT, or PATCH requests against configuration endpoints.

Monitoring Recommendations

  • Forward Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons audit logs to a central SIEM for retention and analysis.
  • Enable alerting on changes to authentication policies, sign-in URLs, and trusted certificates.
  • Review administrator account inventories and remove unused read-only accounts to reduce the credential attack surface.

How to Mitigate CVE-2025-55141

Immediate Actions Required

  • Upgrade Ivanti Connect Secure to 22.7R2.9 or 22.8R2, and Ivanti Policy Secure to 22.7R1.6 or later.
  • Upgrade Ivanti ZTA Gateway to 2.8R2.3-723 or later; Ivanti Neurons for Secure Access customers received the fix on 02-Aug-2025.
  • Rotate credentials for all administrator accounts, including read-only roles, after patching.
  • Audit recent authentication configuration changes and revert any unauthorized modifications.

Patch Information

Ivanti has released fixed versions for all affected products. Refer to the Ivanti September Security Advisory for download links and version-specific upgrade guidance. The Neurons for Secure Access cloud service was patched on 02-Aug-2025 and requires no customer action.

Workarounds

  • Restrict network access to the management interface to a small set of trusted administrative hosts.
  • Remove or disable read-only administrator accounts that are not strictly required.
  • Enforce multi-factor authentication (MFA) on all administrator logins to raise the barrier to credential abuse.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne