Ivanti Neurons For Secure Access vulnerabilities
15 known vulnerabilities affecting ivanti/neurons_for_secure_access.
Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH7MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2025-55148HIGHCVSS 7.6fixed in 22.8v22.82025-09-09
CVE-2025-55148 [HIGH] CWE-862 CVE-2025-55148: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2025-55142HIGHCVSS 8.8fixed in 22.8v22.82025-09-09
CVE-2025-55142 [HIGH] CWE-862 CVE-2025-55142: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
nvd
CVE-2025-55145HIGHCVSS 8.9fixed in 22.8v22.82025-09-09
CVE-2025-55145 [HIGH] CWE-862 CVE-2025-55145: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker to hijack existing HTML5 connections.
nvd
CVE-2025-55141HIGHCVSS 8.8fixed in 22.8v22.82025-09-09
CVE-2025-55141 [HIGH] CWE-862 CVE-2025-55141: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure authentication related settings.
nvd
CVE-2025-55147HIGHCVSS 8.8fixed in 22.8v22.82025-09-09
CVE-2025-55147 [HIGH] CWE-352 CVE-2025-55147: CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant
CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute sensitive actions on behalf of the victim user. User interaction is required
nvd
CVE-2025-55146MEDIUMCVSS 4.9fixed in 22.8v22.82025-09-09
CVE-2025-55146 [MEDIUM] CWE-252 CVE-2025-55146: An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure b
An unchecked return value in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service.
nvd
CVE-2025-55139MEDIUMCVSS 6.8fixed in 22.8v22.82025-09-09
CVE-2025-55139 [MEDIUM] CWE-918 CVE-2025-55139: SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant
SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to enumerate internal services.
nvd
CVE-2025-8712MEDIUMCVSS 5.4fixed in 22.8v22.82025-09-09
CVE-2025-8712 [MEDIUM] CWE-862 CVE-2025-8712: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2025-55144MEDIUMCVSS 5.4fixed in 22.8v22.82025-09-09
CVE-2025-55144 [MEDIUM] CWE-862 CVE-2025-55144: Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure befor
Missing authorization in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with read-only admin privileges to configure restricted settings.
nvd
CVE-2025-8711MEDIUMCVSS 5.4fixed in 22.8v22.82025-09-09
CVE-2025-8711 [MEDIUM] CWE-352 CVE-2025-8711: CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivant
CSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to execute limited actions on behalf of the victim user. User interaction is required.
nvd
CVE-2025-55143MEDIUMCVSS 6.1fixed in 22.8v22.82025-09-09
CVE-2025-55143 [MEDIUM] CWE-79 CVE-2025-55143: Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure be
Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. User interaction is
nvd
CVE-2025-5456HIGHCVSS 7.5fixed in 22.8v22.82025-08-12
CVE-2025-5456 [HIGH] CWE-125 CVE-2025-5456: A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy S
A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. CWE-125
nvd
CVE-2025-5462HIGHCVSS 7.5fixed in 22.8v22.82025-08-12
CVE-2025-5462 [HIGH] CWE-122 CVE-2025-5462: A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secur
A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service.
nvd
CVE-2025-5468MEDIUMCVSS 5.5fixed in 22.8v22.82025-08-12
CVE-2025-5468 [MEDIUM] CWE-61 CVE-2025-5468: Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivan
Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.
nvd
CVE-2025-5466MEDIUMCVSS 4.9fixed in 22.8v22.82025-08-12
CVE-2025-5466 [MEDIUM] CWE-776 CVE-2025-5466: XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti
XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service
nvd