The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55147

CVE-2025-55147: Ivanti Connect Secure CSRF Vulnerability

CVE-2025-55147 is a cross-site request forgery flaw in Ivanti Connect Secure that enables remote attackers to execute sensitive actions on behalf of victims. This article covers technical details, affected versions, and mitigation.

Published: April 15, 2026

CVE-2025-55147 Overview

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in multiple Ivanti products including Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. This vulnerability allows a remote unauthenticated attacker to execute sensitive actions on behalf of an authenticated victim user. The attack requires user interaction, typically through social engineering tactics that trick the victim into clicking a malicious link or visiting a crafted webpage while authenticated to the vulnerable Ivanti appliance.

Critical Impact

Remote unauthenticated attackers can hijack authenticated user sessions to perform sensitive administrative actions, potentially compromising VPN access controls and secure access infrastructure.

Affected Products

  • Ivanti Connect Secure before 22.7R2.9 or 22.8R2
  • Ivanti Policy Secure before 22.7R1.6
  • Ivanti ZTA Gateway before 2.8R2.3-723
  • Ivanti Neurons for Secure Access before 22.8R1.4

Discovery Timeline

  • September 9, 2025 - CVE-2025-55147 published to NVD
  • September 24, 2025 - Last updated in NVD database

Technical Details for CVE-2025-55147

Vulnerability Analysis

This CSRF vulnerability (CWE-352) exists due to the lack of proper anti-CSRF token validation in sensitive web interface operations across multiple Ivanti secure access products. When an authenticated administrator or user visits a malicious webpage crafted by an attacker, their browser can be induced to send authenticated requests to the vulnerable Ivanti appliance without the user's knowledge or consent.

The affected products are critical network infrastructure components used for VPN access, policy enforcement, and zero trust network access. Successful exploitation could allow an attacker to modify security policies, create backdoor accounts, alter VPN configurations, or perform other administrative actions with the privileges of the victim user.

Root Cause

The vulnerability stems from insufficient validation of request origin and the absence or improper implementation of anti-CSRF tokens in sensitive state-changing operations within the web management interface. The application fails to verify that requests originate from legitimate user interactions within the authenticated session, allowing forged cross-origin requests to be processed as legitimate administrative commands.

Attack Vector

The attack requires network access and user interaction. An attacker must craft a malicious webpage or email containing embedded requests targeting the vulnerable Ivanti appliance. When an authenticated user with administrative privileges visits this malicious content while logged into the Ivanti management interface, their browser automatically includes session cookies with the forged request. The server processes this request as if it were a legitimate user action, executing sensitive operations such as configuration changes, user account modifications, or policy alterations without proper authorization verification.

A typical attack scenario involves embedding hidden form submissions or JavaScript-driven requests within a malicious webpage that targets known administrative endpoints on the Ivanti appliance. Since the victim's browser automatically attaches valid session credentials, the forged request bypasses authentication but exploits the missing CSRF protections.

Detection Methods for CVE-2025-55147

Indicators of Compromise

  • Unexpected configuration changes in Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access appliances
  • Administrative actions logged from unusual source IP addresses or at unusual times
  • New user accounts or modified access policies that were not authorized by administrators
  • Referrer headers in web logs showing requests to sensitive endpoints originating from external domains

Detection Strategies

  • Monitor administrative audit logs for configuration changes that lack corresponding authorized change requests
  • Analyze web server logs for requests to administrative endpoints with suspicious or missing referrer headers
  • Implement network monitoring to detect unusual patterns of administrative API calls
  • Configure alerting for bulk configuration changes or creation of privileged accounts outside normal maintenance windows

Monitoring Recommendations

  • Enable verbose logging on all affected Ivanti appliances and forward logs to a centralized SIEM solution
  • Set up real-time alerts for administrative actions performed during off-hours or from unexpected locations
  • Regularly review authentication logs for sessions that may have been compromised
  • Monitor network traffic for connections to known phishing or malicious domains from administrator workstations

How to Mitigate CVE-2025-55147

Immediate Actions Required

  • Update Ivanti Connect Secure to version 22.7R2.9 or 22.8R2 or later
  • Update Ivanti Policy Secure to version 22.7R1.6 or later
  • Update Ivanti ZTA Gateway to version 2.8R2.3-723 or later
  • Update Ivanti Neurons for Secure Access to version 22.8R1.4 or later
  • Review recent administrative changes and audit logs for signs of compromise

Patch Information

Ivanti has released security updates addressing this CSRF vulnerability as part of their September 2025 Security Advisory. Organizations should consult the Ivanti Security Advisory for detailed upgrade instructions and download links for patched firmware versions. For Ivanti Neurons for Secure Access, the fix was deployed on August 2, 2025, as a cloud-based update.

Workarounds

  • Implement strict network segmentation to limit administrative interface access to trusted management networks only
  • Require administrators to use dedicated browsers or browser profiles exclusively for Ivanti appliance management
  • Train administrators to avoid clicking untrusted links or browsing external websites while authenticated to administrative interfaces
  • Consider implementing additional access controls such as multi-factor authentication for administrative sessions
bash
# Example network segmentation configuration
# Restrict management interface access to trusted admin network
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeCSRF
  • Vendor/TechIvanti Connect Secure
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.40%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-352
  • Vendor Resources
  • Ivanti Security Advisory - Multiple CVEs
  • Related CVEs
  • CVE-2021-22894: Ivanti Connect Secure RCE Vulnerability
  • CVE-2021-22899: Ivanti Connect Secure RCE Vulnerability
  • CVE-2021-22893: Ivanti Connect Secure Auth Bypass Flaw
  • CVE-2021-22900: Ivanti Connect Secure RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English