Forwarded by Taiwan Computer Network Crisis Response and Coordination Center TWCERTCC-200-202509-00000007

[Description]
[CVE-2025-55141, CVSS: 8.8] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated attacker with read-only administrator privileges to modify authentication-related settings.

[CVE-2025-55142, CVSS: 8.8] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated attacker with read-only administrator privileges to modify authentication-related settings.

[CVE-2025-55145, CVSS: 8.9] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated remote attacker to hijack an existing HTML5 connection.

[CVE-2025-55147, CVSS: 8.8] This vulnerability exists on affected devices due to a CSRF vulnerability, allowing an authenticated remote attacker to perform sensitive operations on behalf of the victim user.

[Affected Platforms]
● Ivanti Connect Secure 22.7R2.8 and earlier
● Ivanti Policy Secure 22.7R1.5 and earlier
● Ivanti ZTA Gateway 2.8R2.2 and earlier
● Ivanti Neurons for Secure Accessway 22.8R1.3 and earlier

[Recommended Action]
Please update to the following versions:
● Ivanti Connect Secure 22.7R2.9
● Ivanti Connect Secure 22.8R2
● Ivanti Policy Secure 22.7R1.6
● Ivanti ZTA Gateway 2.8R2.3-723
● Ivanti Neurons for Secure Accessway 22.8R1.4

[References]
1. September Security Advisory Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access (Multiple CVEs): https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs

2. CVE-2025-55141: https://nvd.nist.gov/vuln/detail/CVE-2025-55141

3. CVE-2025-55142: https://nvd.nist.gov/vuln/detail/CVE-2025-55142

4. CVE-2025-55145: https://nvd.nist.gov/vuln/detail/CVE-2025-55145

5. CVE-2025-55147 https://nvd.nist.gov/vuln/detail/CVE-2025-55147