【資安漏洞預警】Ivanti 旗下Connect Secure、Policy Secure、ZTA Gateways和 Neurons for Secure Access存在多個重大資安漏洞
[Security Vulnerability Alert] Ivanti's Connect Secure, Policy Secure, ZTA Gateways, and Neurons for Secure Access have multiple major security vulnerabilities.

發布單位:圖資處數位服務組
日期範圍:2025/9/12 ~ 2026/3/12
 
發布單位:圖資處數位服務組
日期範圍:2025/9/12 ~ 2026/3/12
行政 行政公告
全體

轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202509-00000007

[內容說明]
【CVE-2025-55141,CVSS:8.8】 此漏洞在受影響設備中缺乏授權機制,允許經過身分驗證且具有唯讀管理者權限的攻擊者修改與身分驗證相關的設定。

【CVE-2025-55142,CVSS:8.8】 此漏洞在受影響設備中缺乏授權機制,允許經過身分驗證且具有唯讀管理者權限的攻擊者修改與身分驗證相關的設定。

【CVE-2025-55145,CVSS:8.9】 此漏洞在受影響設備中缺乏授權機制,允許經過身分驗證的遠端攻擊者,劫持現有的HTML5連線。

【CVE-2025-55147,CVSS:8.8】 此漏洞在受影響設備中存在CSRF漏洞,允許經過身分驗證的遠端攻擊者,以受害者用戶的身分執行敏感性操作。

[影響平台]
● Ivanti Connect Secure 22.7R2.8 (含)之前版本
● Ivanti Policy Secure 22.7R1.5 (含)之前版本
● Ivanti ZTA Gateway 2.8R2.2 (含)之前版本
● Ivanti Neurons for Secure Accessway 22.8R1.3 (含)之前版本

[建議措施]
請更新至以下版本:
● Ivanti Connect Secure 22.7R2.9
● Ivanti Connect Secure 22.8R2
● Ivanti Policy Secure 22.7R1.6
● Ivanti ZTA Gateway 2.8R2.3-723
● Ivanti Neurons for Secure Accessway 22.8R1.4

[參考資料]
1. September Security Advisory Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access (Multiple CVEs): https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs

2. CVE-2025-55141: https://nvd.nist.gov/vuln/detail/CVE-2025-55141

3. CVE-2025-55142: https://nvd.nist.gov/vuln/detail/CVE-2025-55142

4. CVE-2025-55145: https://nvd.nist.gov/vuln/detail/CVE-2025-55145

5. CVE-2025-55147 https://nvd.nist.gov/vuln/detail/CVE-2025-55147

Forwarded by Taiwan Computer Network Crisis Response and Coordination Center TWCERTCC-200-202509-00000007

[Description]
[CVE-2025-55141, CVSS: 8.8] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated attacker with read-only administrator privileges to modify authentication-related settings.

[CVE-2025-55142, CVSS: 8.8] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated attacker with read-only administrator privileges to modify authentication-related settings.

[CVE-2025-55145, CVSS: 8.9] This vulnerability lacks an authorization mechanism on the affected device, allowing an authenticated remote attacker to hijack an existing HTML5 connection.

[CVE-2025-55147, CVSS: 8.8] This vulnerability exists on affected devices due to a CSRF vulnerability, allowing an authenticated remote attacker to perform sensitive operations on behalf of the victim user.

[Affected Platforms]
● Ivanti Connect Secure 22.7R2.8 and earlier
● Ivanti Policy Secure 22.7R1.5 and earlier
● Ivanti ZTA Gateway 2.8R2.2 and earlier
● Ivanti Neurons for Secure Accessway 22.8R1.3 and earlier

[Recommended Action]
Please update to the following versions:
● Ivanti Connect Secure 22.7R2.9
● Ivanti Connect Secure 22.8R2
● Ivanti Policy Secure 22.7R1.6
● Ivanti ZTA Gateway 2.8R2.3-723
● Ivanti Neurons for Secure Accessway 22.8R1.4

[References]
1. September Security Advisory Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access (Multiple CVEs): https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs

2. CVE-2025-55141: https://nvd.nist.gov/vuln/detail/CVE-2025-55141

3. CVE-2025-55142: https://nvd.nist.gov/vuln/detail/CVE-2025-55142

4. CVE-2025-55145: https://nvd.nist.gov/vuln/detail/CVE-2025-55145

5. CVE-2025-55147 https://nvd.nist.gov/vuln/detail/CVE-2025-55147


相關附件
【返回上頁】
Top↑