CVE-2025-55142: Ivanti Connect Secure Auth Bypass Flaw

CVE-2025-55142 Overview

CVE-2025-55142 is a missing authorization vulnerability affecting Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. A remote authenticated attacker holding read-only administrator privileges can configure authentication-related settings on the appliance. The flaw maps to [CWE-862: Missing Authorization] and bypasses the role-based access boundary that segregates read-only operators from administrators with write privileges. Ivanti addressed the issue across its secure access portfolio in fixed releases published in the September 2025 Security Advisory.

Critical Impact

An authenticated read-only admin can alter authentication settings on Ivanti secure access gateways, enabling tampering with login flows, identity providers, and access policies that protect VPN and ZTNA traffic.

Affected Products

• Ivanti Connect Secure before 22.7R2.9 and before 22.8R2
• Ivanti Policy Secure before 22.7R1.6
• Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4

Discovery Timeline

• 2025-09-09 - CVE-2025-55142 published to NVD
• 2025-09-24 - Last updated in NVD database
• 2025-08-02 - Fix deployed for Ivanti Neurons for Secure Access (per vendor advisory)

Technical Details for CVE-2025-55142

Vulnerability Analysis

The vulnerability is a missing authorization defect in the administrative interfaces of Ivanti's secure access products. The affected endpoints expose configuration controls for authentication-related settings but fail to verify whether the calling administrator holds write privileges. As a result, accounts provisioned with the read-only admin role can submit configuration changes that should be restricted to full administrators.

Authentication settings on these appliances govern how external users prove identity before accessing internal networks. Modifying them can alter SAML or LDAP integrations, change session policies, or weaken multi-factor enforcement. The CWE-862 classification indicates that the authorization check is absent at the action handler, rather than being incorrectly evaluated.

The vulnerability requires valid administrator credentials at the read-only tier. Network exposure of the management plane therefore increases the practical attack surface. EPSS data places this CVE in the upper percentile band for exploitation likelihood among published CVEs.

Root Cause

The root cause is the absence of a role check on configuration endpoints that handle authentication settings. The application trusts that authenticated administrators can invoke these handlers without re-validating that the principal holds a write-capable role. This breaks the privilege separation enforced elsewhere in the admin console.

Attack Vector

Exploitation requires network access to the appliance management interface and valid read-only admin credentials. The attacker authenticates normally, then issues administrative requests against the authentication configuration endpoints. Because the server omits the role gate, the changes are applied. No user interaction is required beyond the authenticated session held by the attacker.

No public proof-of-concept exploit, exploit database entry, or CISA KEV listing is currently associated with this CVE. Refer to the Ivanti Security Advisory for technical details.

Detection Methods for CVE-2025-55142

Indicators of Compromise

• Unexpected modifications to authentication realm, SAML, or LDAP configuration on Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access appliances.
• Audit log entries showing configuration writes performed by accounts assigned the read-only administrator role.
• New or altered identity provider trust relationships, sign-in URLs, or MFA bypass settings not tied to an approved change ticket.

Detection Strategies

• Forward Ivanti admin audit logs to a central SIEM and alert on any write or update events originating from read-only admin accounts.
• Baseline the normal configuration of authentication settings and trigger alerts on diffs between baseline and current state.
• Correlate read-only admin session activity with HTTP POST or PUT requests to authentication configuration endpoints on the management interface.

Monitoring Recommendations

• Restrict management plane reachability to a dedicated administrative network and log all administrative sessions.
• Review the population of read-only admin accounts and remove dormant or shared credentials.
• Enable change notifications for authentication policies and route them to the security operations team for review.

How to Mitigate CVE-2025-55142

Immediate Actions Required

• Upgrade Ivanti Connect Secure to 22.7R2.9 or 22.8R2, Policy Secure to 22.7R1.6, and ZTA Gateway to 2.8R2.3-723 as soon as maintenance windows allow.
• For Ivanti Neurons for Secure Access, confirm the cloud-side fix deployed on 02-Aug-2025 covers the tenant; no customer action is required for the SaaS component beyond verification.
• Audit all read-only administrator accounts and rotate credentials for any account whose activity cannot be accounted for.

Patch Information

Ivanti released fixed versions in the September 2025 Security Advisory covering Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. Full version details and download links are available in the Ivanti Security Advisory. Apply patches in a maintenance window after taking a configuration backup.

Workarounds

• Limit administrative interface access to trusted source IP ranges using the appliance's admin ACLs.
• Reduce the number of read-only administrator accounts and apply strong MFA to every remaining account.
• Monitor and alert on any configuration changes to authentication settings until patched versions are installed.

# Configuration example
# Restrict admin interface to a management subnet (illustrative)
# Replace with your appliance-specific admin ACL syntax
admin-acl allow source 10.10.20.0/24
admin-acl deny  source 0.0.0.0/0