Skip to main content
CVE Vulnerability Database

CVE-2025-8711: Ivanti Connect Secure CSRF Vulnerability

CVE-2025-8711 is a cross-site request forgery flaw in Ivanti Connect Secure that enables remote attackers to execute limited actions on behalf of victims. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-8711 Overview

CVE-2025-8711 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting multiple Ivanti secure access products. The flaw allows a remote unauthenticated attacker to execute limited actions on behalf of an authenticated victim user when that user is tricked into interacting with attacker-controlled content. Affected products include Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723, and Ivanti Neurons for Secure Access before 22.8R1.4. Ivanti deployed the fix for Neurons for Secure Access on 02-Aug-2025.

Critical Impact

A successful CSRF attack can trigger limited administrative or user-scoped actions on Ivanti secure access gateways when an authenticated user visits a malicious page, potentially altering configuration state on enterprise VPN and Zero Trust infrastructure.

Affected Products

  • Ivanti Connect Secure before 22.7R2.9 and 22.8R2
  • Ivanti Policy Secure before 22.7R1.6
  • Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4

Discovery Timeline

  • 02-Aug-2025 - Fix deployed for Ivanti Neurons for Secure Access
  • 2025-09-09 - CVE-2025-8711 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8711

Vulnerability Analysis

The vulnerability is a Cross-Site Request Forgery (CSRF) weakness classified under [CWE-352]. Ivanti's affected web interfaces accept state-changing HTTP requests without sufficiently validating that the request originated from a legitimate, intentional user action. An attacker who lures an authenticated victim to a malicious page can cause the browser to issue forged requests to the Ivanti appliance. Those requests execute in the victim's authenticated session context. The vendor characterizes the resulting capability as "limited actions," consistent with the low confidentiality and integrity impact recorded in the CVSS vector. User interaction is required for exploitation, which reduces reliability but does not eliminate risk in phishing-driven campaigns targeting VPN and access-gateway administrators.

Root Cause

The root cause is missing or insufficient anti-CSRF protections on request handlers in the Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access web management interfaces. Effective mitigations such as unique per-session CSRF tokens, strict SameSite cookie enforcement, or origin/referer validation were not applied consistently before the fixed releases.

Attack Vector

Exploitation is network-based and unauthenticated from the attacker's perspective. The attacker crafts a web page, email, or embedded resource that issues a forged HTTP request to the target Ivanti appliance. When a user with an active authenticated session on the appliance interacts with the attacker's content, the browser attaches session cookies to the forged request, and the appliance processes it as legitimate. Because affected products are commonly used as VPN concentrators and Zero Trust gateways, targeted phishing against administrators is the most plausible exploitation path.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Ivanti Security Advisory for vendor-provided technical details.

Detection Methods for CVE-2025-8711

Indicators of Compromise

  • Unexpected configuration changes on Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access appliances that correlate with administrator web sessions.
  • HTTP requests to the appliance's management interface with a Referer or Origin header pointing to an external, untrusted domain.
  • Audit log entries showing state-changing actions immediately after an administrator visited an external URL.

Detection Strategies

  • Inspect web proxy and appliance access logs for cross-origin POST/PUT/DELETE requests targeting Ivanti management endpoints.
  • Correlate email and web gateway telemetry with administrator browsing activity to identify phishing pages that reference Ivanti management URLs.
  • Alert on any administrative configuration change that lacks a corresponding interactive admin session initiated from a trusted network segment.

Monitoring Recommendations

  • Enable and forward Ivanti appliance audit logs to a centralized SIEM for review of all administrative state changes.
  • Monitor for anomalous Referer and Origin headers on requests to the Ivanti web console.
  • Track administrator account activity for actions performed outside expected maintenance windows.

How to Mitigate CVE-2025-8711

Immediate Actions Required

  • Upgrade Ivanti Connect Secure to 22.7R2.9 or 22.8R2, or a later fixed release.
  • Upgrade Ivanti Policy Secure to 22.7R1.6 or later, and Ivanti ZTA Gateway to 2.8R2.3-723 or later.
  • Confirm Ivanti Neurons for Secure Access is on 22.8R1.4 or later; the vendor-hosted fix was deployed on 02-Aug-2025.
  • Restrict access to appliance management interfaces to trusted administrative networks only.

Patch Information

Ivanti addressed the CSRF vulnerability in Connect Secure 22.7R2.9 and 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, and Neurons for Secure Access 22.8R1.4. Full remediation details are published in the Ivanti September Security Advisory.

Workarounds

  • Require administrators to use a dedicated privileged access workstation with no general web browsing or email access.
  • Segment the appliance management interface behind a network access control list that permits only known admin source addresses.
  • Instruct administrators to fully log out of Ivanti management sessions before browsing to any external site.
  • Enforce browser policies that set SameSite=Strict behavior and block cross-site tracking for administrative browser profiles.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.