CVE-2025-8310 Overview
CVE-2025-8310 is a missing authorization vulnerability [CWE-862] in the admin console of Ivanti Virtual Application Delivery Controller (vADC), previously known as Pulse Secure Virtual Traffic Manager (vTM). The flaw affects all versions before 22.9. A remote authenticated attacker with low privileges can exploit the missing authorization check to reset passwords of other administrative accounts. Successful exploitation results in full takeover of admin accounts, granting attackers control over load-balancing and application delivery configurations.
Critical Impact
A low-privileged authenticated attacker can take over admin accounts by resetting passwords, gaining complete administrative control over Ivanti vADC deployments.
Affected Products
- Ivanti Virtual Application Delivery Controller (vADC) versions before 22.9
- Previously branded as Ivanti Virtual Traffic Manager (vTM)
- All deployments exposing the admin console to authenticated users
Discovery Timeline
- 2025-08-12 - CVE-2025-8310 published to NVD
- 2026-01-12 - Last updated in NVD database
Technical Details for CVE-2025-8310
Vulnerability Analysis
The vulnerability resides in the administrative console of Ivanti vADC. The admin console fails to enforce proper authorization checks on the password reset functionality. An authenticated user with limited privileges can issue a password reset request targeting an account with higher privileges, including administrator accounts. Because the application does not verify whether the requesting principal is authorized to perform the reset on the target account, the operation succeeds.
Once the password is reset, the attacker authenticates as the targeted administrator and obtains full control of the vADC instance. Ivanti vADC functions as a load balancer and application delivery controller, so administrative compromise exposes traffic management policies, TLS keys, and backend service configurations to the attacker.
Root Cause
The root cause is a missing authorization check [CWE-862] on the password reset endpoint within the admin console. The application authenticates the requester but does not validate whether the requester has permission to modify the targeted account. This design oversight conflates authentication with authorization.
Attack Vector
Exploitation requires network access to the admin console and valid low-privileged credentials. No user interaction is required. The attacker submits a crafted password reset request for an administrator account, then authenticates with the newly set credentials. The vulnerability is exploitable over the network with low attack complexity.
No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-8310
Indicators of Compromise
- Unexpected password reset events in vADC admin console audit logs targeting administrator accounts
- Administrator login sessions originating from unusual source IP addresses or geolocations
- Configuration changes to load balancing pools, TLS certificates, or virtual servers shortly after a password reset event
- New or modified administrative accounts created after an unauthorized reset
Detection Strategies
- Enable and centralize audit logging from the vADC admin console to capture password reset and account modification events
- Correlate password reset events with the privilege level of the requesting account to identify low-privileged users targeting administrators
- Alert on consecutive password reset events followed by successful administrator logins within short time windows
- Monitor configuration export and backup operations that occur immediately after authentication events
Monitoring Recommendations
- Forward vADC admin console logs to a centralized SIEM or data lake for retention and correlation
- Baseline normal administrative activity and alert on deviations such as off-hours administrator logins
- Track all authentication attempts against the admin console and flag credential changes performed by non-administrative principals
How to Mitigate CVE-2025-8310
Immediate Actions Required
- Upgrade Ivanti Virtual Application Delivery Controller to version 22.9 or later
- Restrict network access to the admin console to trusted management networks only
- Audit all administrative accounts and rotate credentials following the upgrade
- Review audit logs for evidence of unauthorized password resets prior to patching
Patch Information
Ivanti has released a fix in vADC version 22.9. Apply the update following the guidance in the Ivanti Security Advisory CVE-2025-8310. Administrators should verify the installed version after upgrade and confirm that all nodes in a clustered deployment have been updated.
Workarounds
- Limit admin console exposure by placing it behind a VPN or jump host accessible only to authorized administrators
- Enforce strong, unique credentials and multi-factor authentication for all accounts with access to the admin console
- Remove or disable low-privileged accounts that do not require admin console access until patching is complete
- Implement network-level access control lists restricting inbound traffic to the management interface
# Example: restrict admin console access via host firewall (iptables)
# Allow only the management subnet to reach the admin console port
iptables -A INPUT -p tcp --dport 9090 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
