CVE-2025-8712

Published: Sep 9, 2025Modified: Sep 24, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 (Secondary)

Description

Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.

Affected (31)

Products: Ivanti: Neurons For Secure Access, Connect Secure, Policy Secure, Zero Trust Access Gateway

Ivanti

4 products

Neurons For Secure Access

Connect Secure

Policy Secure

Zero Trust Access Gateway

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Ivanti Neurons For Secure Access	Before 22.8
Ivanti Neurons For Secure Access	Version 22.8 r1.1
Ivanti Neurons For Secure Access	Version 22.8 r1.2
Ivanti Neurons For Secure Access	Version 22.8 r1.3
Ivanti Neurons For Secure Access	Version 22.8 r1

Configuration B

17 vulnerable

Vulnerable Software	Affected Versions
Ivanti Connect Secure	Before 22.7
Ivanti Connect Secure	Version 22.7
Ivanti Connect Secure	Version 22.7 r1.1
Ivanti Connect Secure	Version 22.7 r1.2
Ivanti Connect Secure	Version 22.7 r1.3
Ivanti Connect Secure	Version 22.7 r1.4
Ivanti Connect Secure	Version 22.7 r1.5
Ivanti Connect Secure	Version 22.7 r1
Ivanti Connect Secure	Version 22.7 r2.1
Ivanti Connect Secure	Version 22.7 r2.2
Ivanti Connect Secure	Version 22.7 r2.3
Ivanti Connect Secure	Version 22.7 r2.4
Ivanti Connect Secure	Version 22.7 r2.5
Ivanti Connect Secure	Version 22.7 r2.6
Ivanti Connect Secure	Version 22.7 r2.7
Ivanti Connect Secure	Version 22.7 r2.8
Ivanti Connect Secure	Version 22.7 r2

Configuration C

8 vulnerable

Vulnerable Software	Affected Versions
Ivanti Policy Secure	Before 22.7
Ivanti Policy Secure	Version 22.7
Ivanti Policy Secure	Version 22.7 r1.1
Ivanti Policy Secure	Version 22.7 r1.2
Ivanti Policy Secure	Version 22.7 r1.3
Ivanti Policy Secure	Version 22.7 r1.4
Ivanti Policy Secure	Version 22.7 r1.5
Ivanti Policy Secure	Version 22.7 r1

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Ivanti Zero Trust Access Gateway	Version 22.8 r2.2

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (1)

https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Vendor Advisory

Timeline

No history available yet.