CVE-2025-55143

Summary

Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. User interaction is required.

Affected Software

VendorProductVersion RangeStatus
IvantiConnect Secure22.7R2.9unaffected
IvantiConnect Secure22.8R2unaffected
IvantiPolicy Secure22.7R1.6unaffected
IvantiZTA Gateway2.8R2.3-723unaffected
IvantiNeurons for Secure Access22.8R1.4 (Fix deployed on 02-Aug-2025)unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References