CVE-2025-5468

Published: Aug 12, 2025Modified: Sep 23, 2025

5.5

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 (Secondary)

Description

Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.

Affected (29)

Products: Ivanti: Connect Secure, Policy Secure, Zero Trust Access Gateway, Neurons For Secure Access

Ivanti

4 products

Connect Secure

Policy Secure

Zero Trust Access Gateway

Neurons For Secure Access

Configuration A

16 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Before 22.7
Ivanti Connect Secure	Version 22.7
Ivanti Connect Secure	Version 22.7 r1.1
Ivanti Connect Secure	Version 22.7 r1.2
Ivanti Connect Secure	Version 22.7 r1.3
Ivanti Connect Secure	Version 22.7 r1.4
Ivanti Connect Secure	Version 22.7 r1.5
Ivanti Connect Secure	Version 22.7 r1
Ivanti Connect Secure	Version 22.7 r2.1
Ivanti Connect Secure	Version 22.7 r2.2
Ivanti Connect Secure	Version 22.7 r2.3
Ivanti Connect Secure	Version 22.7 r2.4
Ivanti Connect Secure	Version 22.7 r2.5
Ivanti Connect Secure	Version 22.7 r2.6
Ivanti Connect Secure	Version 22.7 r2.7
Ivanti Connect Secure	Version 22.7 r2

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Ivanti Policy Secure	Before 22.7
Ivanti Policy Secure	Version 22.7
Ivanti Policy Secure	Version 22.7 r1.1
Ivanti Policy Secure	Version 22.7 r1.2
Ivanti Policy Secure	Version 22.7 r1.3
Ivanti Policy Secure	Version 22.7 r1.4
Ivanti Policy Secure	Version 22.7 r1

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Ivanti Zero Trust Access Gateway	Version 22.8 r2.2

Configuration D

5 vulnerable

Vulnerable Software	Affected Versions
Ivanti Neurons For Secure Access	Before 22.8
Ivanti Neurons For Secure Access	Version 22.8 r1.1
Ivanti Neurons For Secure Access	Version 22.8 r1.2
Ivanti Neurons For Secure Access	Version 22.8 r1.3
Ivanti Neurons For Secure Access	Version 22.8 r1

Related CWEs

CWE-61

UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

References (1)

https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-Multiple-CVEs?language=en_US

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Vendor Advisory

Timeline

No history available yet.