High

CSRF in Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access

IdentifiersCVE-2025-55147CWE-352· Cross-Site Request Forgery (CSRF)

CVE-2025-55147 is a cross-site request forgery (CSRF) vulnerability in the web-based administrative interfaces of multiple Ivanti products: Connect Secure before 22.7R2.9 or 22.8R2, Policy Secure before 22.7R1.6, ZTA Gateway before 2.8R2.3-723, and Neurons for Secure Access before 22.8R1.4. The issue is attributed to insufficient anti-CSRF protections for sensitive administrative actions, including failure to properly validate request origin and/or require effective anti-CSRF tokens. A remote unauthenticated attacker can induce an authenticated victim user, typically an administrator, to submit forged requests via a malicious website or crafted link. Because the victim's browser automatically includes valid session cookies or tokens, the target appliance processes the forged request with the victim's privileges.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to perform sensitive actions in the affected Ivanti administrative interface as the authenticated victim user. Based on the provided content, this can include changing appliance configuration, modifying network access policies, and potentially disabling security controls. The resulting impact depends on the victim's privileges, but in administrative contexts it can lead to unauthorized security policy changes, weakening of access enforcement, and compromise of the integrity of the appliance's management plane.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce exposure of the web-based management interface to trusted administrative networks only, restrict access through VPN or IP allowlisting, and avoid direct Internet exposure where possible. Require administrators to use dedicated management workstations or browser profiles for appliance administration, and minimize concurrent browsing to untrusted sites while authenticated to the interface. User awareness against phishing and malicious links can reduce exploitability, but mitigation is incomplete without vendor fixes because the flaw is in server-side CSRF protections.

Remediation

Patch, then assume compromise.

Upgrade affected products to fixed versions identified in the vendor information: Ivanti Connect Secure 22.7R2.9 or 22.8R2 and later, Ivanti Policy Secure 22.7R1.6 and later, Ivanti ZTA Gateway 2.8R2.3-723 and later, and Ivanti Neurons for Secure Access 22.8R1.4 and later. The provided content notes that a fix was deployed on 2025-08-02. Apply the relevant Ivanti security advisory guidance and verify that all exposed management interfaces are running remediated builds.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiConnect Secureapplication

IvantiNeurons For Secure Accessapplication

IvantiPolicy Secureapplication

IvantiZero Trust Access Gatewayapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

zeropath blogNews

Sep 9, 2025

Ivanti Connect Secure CSRF Vulnerability (CVE-2025-55147): Brief Summary and Technical Review - ZeroPath Blog | ZeroPath

A CSRF vulnerability in the web-based administrative interfaces of multiple Ivanti products that could let an attacker trick an authenticated administrator into submitting forged requests to change configurations, modify access policies, or disable security controls.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-55147

NVD

nvd.nist.gov/vuln/detail/CVE-2025-55147

MITRE CWE · CWE-352

Cross-Site Request Forgery (CSRF)

Vendor Advisory

forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US