CVE-2025-55143 Overview
CVE-2025-55143 is a reflected text injection vulnerability affecting multiple Ivanti secure access products. The flaw allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. Exploitation requires user interaction, typically through a malicious link. The vulnerability is classified as [CWE-79] and impacts Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateway, and Ivanti Neurons for Secure Access. Ivanti addressed the issue in updated releases, with a fix deployed for Neurons for Secure Access on 02-Aug-2025.
Critical Impact
A remote unauthenticated attacker can inject arbitrary text into crafted HTTP responses, enabling content spoofing and phishing scenarios that could compromise confidentiality and integrity when a user interacts with the crafted link.
Affected Products
- Ivanti Connect Secure before 22.7R2.9 or 22.8R2
- Ivanti Policy Secure before 22.7R1.6
- Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4
Discovery Timeline
- 2025-08-02 - Fix deployed for Ivanti Neurons for Secure Access
- 2025-09-09 - CVE-2025-55143 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-55143
Vulnerability Analysis
The vulnerability is a reflected text injection issue in the HTTP response handling of several Ivanti secure access products. An attacker can craft a URL containing controlled input that the server reflects into an HTTP response without proper sanitization. When a targeted user interacts with the crafted request, arbitrary attacker-controlled text renders within the response context.
The issue maps to [CWE-79], the Common Weakness Enumeration category for improper neutralization of input during web page generation. Because the injection occurs in a trusted gateway component, attackers can leverage it to increase the credibility of phishing lures or manipulate on-page content perceived by the victim.
Root Cause
The root cause is insufficient output encoding or input neutralization when constructing HTTP responses that echo user-supplied parameters. The affected components reflect attacker-controlled values into the response body without applying context-appropriate sanitization, which enables text injection into the rendered content.
Attack Vector
The attack vector is network-based and requires no authentication, but it does require user interaction. An attacker crafts a malicious URL that targets a vulnerable Ivanti endpoint and delivers it to a victim through phishing, chat, or other social channels. When the victim clicks the link, the vulnerable server echoes the injected text into the HTTP response. The scope is changed, indicating the impact can extend beyond the vulnerable component to the user's browser session.
No verified public exploit code is available for this issue. Refer to the Ivanti Security Advisory - September for authoritative technical details.
Detection Methods for CVE-2025-55143
Indicators of Compromise
- Unusual HTTP requests to Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access endpoints containing encoded characters, HTML fragments, or unusually long query parameters.
- Web server or proxy logs showing reflected values from user-supplied parameters in outbound HTTP responses.
- Phishing reports referencing legitimate Ivanti gateway hostnames with atypical URL structures.
Detection Strategies
- Inspect web application firewall (WAF) and reverse proxy logs for query strings containing HTML metacharacters, entity encodings, or script fragments targeting Ivanti gateway URLs.
- Correlate high-volume clicks on newly observed gateway URLs with anomalous referrer patterns from external mail or messaging platforms.
- Deploy signatures that match known reflected injection payload structures against traffic destined for Ivanti management and portal endpoints.
Monitoring Recommendations
- Enable verbose HTTP request logging on Ivanti appliances and forward logs to a centralized SIEM for query-parameter analysis.
- Monitor for outbound HTTP responses containing user-supplied strings echoed verbatim into response bodies from Ivanti gateway hostnames.
- Alert on user reports of unexpected content or prompts rendered by Ivanti authentication portals.
How to Mitigate CVE-2025-55143
Immediate Actions Required
- Upgrade Ivanti Connect Secure to 22.7R2.9 or 22.8R2 or later.
- Upgrade Ivanti Policy Secure to 22.7R1.6 or later.
- Upgrade Ivanti ZTA Gateway to 2.8R2.3-723 or later; the Ivanti Neurons for Secure Access fix was deployed on 02-Aug-2025 in version 22.8R1.4.
- Communicate the risk of clicking untrusted links to users who access Ivanti portals externally.
Patch Information
Ivanti has released fixed versions across all impacted products. Administrators should review the Ivanti Security Advisory - September for the definitive list of fixed builds and apply the appropriate upgrade for each deployment.
Workarounds
- Restrict access to Ivanti management and authentication portals to trusted network ranges where feasible.
- Deploy a WAF rule set that filters HTML metacharacters and script fragments in query parameters directed at Ivanti gateway endpoints.
- Train users to validate URLs before clicking links referencing Ivanti gateway hostnames, especially those received via email or messaging platforms.
# Configuration example
# Refer to the Ivanti Security Advisory for authoritative upgrade steps.
# Example WAF rule (pseudocode) to block reflected injection payloads:
# SecRule ARGS "@rx (?i)(<script|onerror=|javascript:|<img\s)" \
# "id:1055143,phase:2,deny,log,msg:'Possible reflected injection targeting Ivanti gateway'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

