Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55143

CVE-2025-55143: Ivanti Connect Secure XSS Vulnerability

CVE-2025-55143 is a reflected XSS flaw in Ivanti Connect Secure allowing unauthenticated attackers to inject text into HTTP responses. This article covers the technical details, affected versions, and patches.

Published:

CVE-2025-55143 Overview

CVE-2025-55143 is a reflected text injection vulnerability affecting multiple Ivanti secure access products. The flaw allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. Exploitation requires user interaction, typically through a malicious link. The vulnerability is classified as [CWE-79] and impacts Ivanti Connect Secure, Ivanti Policy Secure, Ivanti ZTA Gateway, and Ivanti Neurons for Secure Access. Ivanti addressed the issue in updated releases, with a fix deployed for Neurons for Secure Access on 02-Aug-2025.

Critical Impact

A remote unauthenticated attacker can inject arbitrary text into crafted HTTP responses, enabling content spoofing and phishing scenarios that could compromise confidentiality and integrity when a user interacts with the crafted link.

Affected Products

  • Ivanti Connect Secure before 22.7R2.9 or 22.8R2
  • Ivanti Policy Secure before 22.7R1.6
  • Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4

Discovery Timeline

  • 2025-08-02 - Fix deployed for Ivanti Neurons for Secure Access
  • 2025-09-09 - CVE-2025-55143 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-55143

Vulnerability Analysis

The vulnerability is a reflected text injection issue in the HTTP response handling of several Ivanti secure access products. An attacker can craft a URL containing controlled input that the server reflects into an HTTP response without proper sanitization. When a targeted user interacts with the crafted request, arbitrary attacker-controlled text renders within the response context.

The issue maps to [CWE-79], the Common Weakness Enumeration category for improper neutralization of input during web page generation. Because the injection occurs in a trusted gateway component, attackers can leverage it to increase the credibility of phishing lures or manipulate on-page content perceived by the victim.

Root Cause

The root cause is insufficient output encoding or input neutralization when constructing HTTP responses that echo user-supplied parameters. The affected components reflect attacker-controlled values into the response body without applying context-appropriate sanitization, which enables text injection into the rendered content.

Attack Vector

The attack vector is network-based and requires no authentication, but it does require user interaction. An attacker crafts a malicious URL that targets a vulnerable Ivanti endpoint and delivers it to a victim through phishing, chat, or other social channels. When the victim clicks the link, the vulnerable server echoes the injected text into the HTTP response. The scope is changed, indicating the impact can extend beyond the vulnerable component to the user's browser session.

No verified public exploit code is available for this issue. Refer to the Ivanti Security Advisory - September for authoritative technical details.

Detection Methods for CVE-2025-55143

Indicators of Compromise

  • Unusual HTTP requests to Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access endpoints containing encoded characters, HTML fragments, or unusually long query parameters.
  • Web server or proxy logs showing reflected values from user-supplied parameters in outbound HTTP responses.
  • Phishing reports referencing legitimate Ivanti gateway hostnames with atypical URL structures.

Detection Strategies

  • Inspect web application firewall (WAF) and reverse proxy logs for query strings containing HTML metacharacters, entity encodings, or script fragments targeting Ivanti gateway URLs.
  • Correlate high-volume clicks on newly observed gateway URLs with anomalous referrer patterns from external mail or messaging platforms.
  • Deploy signatures that match known reflected injection payload structures against traffic destined for Ivanti management and portal endpoints.

Monitoring Recommendations

  • Enable verbose HTTP request logging on Ivanti appliances and forward logs to a centralized SIEM for query-parameter analysis.
  • Monitor for outbound HTTP responses containing user-supplied strings echoed verbatim into response bodies from Ivanti gateway hostnames.
  • Alert on user reports of unexpected content or prompts rendered by Ivanti authentication portals.

How to Mitigate CVE-2025-55143

Immediate Actions Required

  • Upgrade Ivanti Connect Secure to 22.7R2.9 or 22.8R2 or later.
  • Upgrade Ivanti Policy Secure to 22.7R1.6 or later.
  • Upgrade Ivanti ZTA Gateway to 2.8R2.3-723 or later; the Ivanti Neurons for Secure Access fix was deployed on 02-Aug-2025 in version 22.8R1.4.
  • Communicate the risk of clicking untrusted links to users who access Ivanti portals externally.

Patch Information

Ivanti has released fixed versions across all impacted products. Administrators should review the Ivanti Security Advisory - September for the definitive list of fixed builds and apply the appropriate upgrade for each deployment.

Workarounds

  • Restrict access to Ivanti management and authentication portals to trusted network ranges where feasible.
  • Deploy a WAF rule set that filters HTML metacharacters and script fragments in query parameters directed at Ivanti gateway endpoints.
  • Train users to validate URLs before clicking links referencing Ivanti gateway hostnames, especially those received via email or messaging platforms.
bash
# Configuration example
# Refer to the Ivanti Security Advisory for authoritative upgrade steps.
# Example WAF rule (pseudocode) to block reflected injection payloads:
# SecRule ARGS "@rx (?i)(<script|onerror=|javascript:|<img\s)" \
#   "id:1055143,phase:2,deny,log,msg:'Possible reflected injection targeting Ivanti gateway'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.