CVE-2025-55143
📋 TL;DR
This reflected text injection vulnerability in Ivanti secure access products allows unauthenticated attackers to inject arbitrary text into HTTP responses. Attackers can craft malicious links that, when clicked by users, display attacker-controlled content in the victim's browser. Affected systems include Ivanti Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access before specific patched versions.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
- Ivanti ZTA Gateway
- Ivanti Neurons for Secure Access
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts or phishing content that appears legitimate, potentially leading to credential theft, session hijacking, or malware distribution when users interact with crafted links.
Likely Case
Attackers create convincing phishing pages or inject misleading content that appears to come from legitimate Ivanti interfaces, tricking users into disclosing credentials or performing unintended actions.
If Mitigated
With proper input validation and output encoding, injected content would be properly sanitized and displayed as plain text rather than executable code.
🎯 Exploit Status
Attack is unauthenticated but requires user interaction. Attackers need to craft malicious URLs and trick users into clicking them.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, Neurons for Secure Access 22.8R1.4
Restart Required: No
Instructions:
1. Log into Ivanti admin portal. 2. Navigate to System > Maintenance > Software Updates. 3. Download and apply the appropriate patch for your product version. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules to filter suspicious input patterns in HTTP requests
Content Security Policy
allImplement strict CSP headers to limit script execution from untrusted sources
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Ivanti management interfaces
- Deploy web application firewall with XSS protection rules in front of Ivanti appliances
🔍 How to Verify
Check if Vulnerable:
Check current version via admin interface: System > Maintenance > About, or SSH to appliance and run 'cat /etc/version'Check Version:
ssh admin@ivanti-appliance 'cat /etc/version'Verify Fix Applied:
Verify version matches or exceeds patched versions listed in advisory, then test with safe payloads to confirm sanitization📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with encoded characters in access logs
- Multiple failed attempts with crafted parameters
- Requests containing suspicious script-like patterns
Network Indicators:
- HTTP requests with unusually long query parameters
- Requests containing <script> tags or JavaScript patterns in URLs
SIEM Query:
source="ivanti_access_logs" AND (url="*%3Cscript*" OR url="*javascript:*" OR url_length>2000)