CVE-2025-55145
📋 TL;DR
This vulnerability allows authenticated remote attackers to hijack existing HTML5 connections in Ivanti secure access products. It affects organizations using Ivanti Connect Secure, Policy Secure, ZTA Gateway, or Neurons for Secure Access with vulnerable versions. Attackers can potentially take over active user sessions.
💻 Affected Systems
- Ivanti Connect Secure
- Ivanti Policy Secure
- Ivanti ZTA Gateway
- Ivanti Neurons for Secure Access
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrative sessions, gain full control of the Ivanti appliance, pivot to internal networks, and compromise sensitive data.
Likely Case
Attackers hijack user sessions to access internal resources, steal credentials, or perform lateral movement within the network.
If Mitigated
With proper network segmentation and monitoring, impact is limited to session hijacking within the Ivanti environment.
🎯 Exploit Status
Requires authenticated access but could be chained with other vulnerabilities. HTML5 session hijacking suggests manipulation of web socket connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Connect Secure 22.7R2.9 or 22.8R2, Policy Secure 22.7R1.6, ZTA Gateway 2.8R2.3-723, Neurons for Secure Access 22.8R1.4
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti support portal. 2. Backup current configuration. 3. Apply patch following Ivanti documentation. 4. Restart the appliance. 5. Verify version and functionality.
🔧 Temporary Workarounds
Restrict Access Controls
allLimit network access to Ivanti appliances to trusted IP ranges only
Session Timeout Reduction
allReduce HTML5 session timeout values to minimize hijacking window
🧯 If You Can't Patch
- Isolate Ivanti appliances in a dedicated network segment with strict firewall rules
- Implement multi-factor authentication for all user accounts and monitor for suspicious session activity
🔍 How to Verify
Check if Vulnerable:
Check the appliance version in the Ivanti admin interface under System > Maintenance > Version InformationCheck Version:
ssh admin@ivanti-appliance 'show version' or check web admin interfaceVerify Fix Applied:
Verify version matches patched versions listed in the advisory and test HTML5 connectivity📡 Detection & Monitoring
Log Indicators:
- Multiple HTML5 sessions from same user/IP
- Session ID reuse anomalies
- Unexpected connection terminations
Network Indicators:
- Abnormal WebSocket traffic patterns
- Multiple connections to same HTML5 port from different sources
SIEM Query:
source="ivanti*" AND (event="session_hijack" OR event="connection_anomaly")