CVE-2025-55143 is a reflected cross-site scripting (XSS) vulnerability classified under CWE-79, affecting multiple Ivanti products including Connect Secure, Policy Secure, ZTA Gateway, and Neurons for Secure Access. The vulnerability exists in versions prior to 22.7R2.9 or 22.8R2 for Connect Secure, prior to 22.7R1.6 for Policy Secure, prior to 2.8R2.3-723 for ZTA Gateway, and prior to 22.8R1.4 for Neurons for Secure Access. This flaw allows a remote, unauthenticated attacker to inject arbitrary text into a crafted HTTP response due to improper neutralization of input during web page generation. The injection occurs in a reflected manner, meaning the malicious payload is included in the HTTP response generated by the server and reflected back to the user’s browser. Exploitation requires user interaction, typically by convincing a user to click a malicious link or visit a crafted URL. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity to a limited extent (C:L, I:L), but does not impact availability (A:N). No known exploits are currently reported in the wild, and a fix was deployed on August 2, 2025. The vulnerability could allow attackers to execute arbitrary scripts in the context of the victim’s browser session, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user within the Ivanti web applications.

For European organizations using Ivanti Connect Secure and related products, this vulnerability poses a moderate risk. Ivanti products are often used to provide secure remote access and policy enforcement, making them critical components in enterprise security architectures. Successful exploitation could lead to unauthorized disclosure of sensitive information or manipulation of user sessions, undermining the confidentiality and integrity of corporate data. Given the requirement for user interaction, phishing or social engineering campaigns could be leveraged by attackers to exploit this vulnerability. This is particularly concerning for organizations with remote workforces or those relying heavily on Ivanti’s secure access solutions. While availability is not impacted, the potential for session hijacking or unauthorized actions could disrupt business operations or lead to compliance violations under GDPR if personal data is compromised. The absence of known exploits in the wild currently reduces immediate risk, but the medium severity rating and broad product impact necessitate prompt attention.

European organizations should immediately verify their Ivanti product versions and apply the vendor-provided patches released on August 2, 2025. If patching is not immediately feasible, organizations should implement web application firewall (WAF) rules to detect and block suspicious input patterns indicative of reflected XSS attempts targeting Ivanti web interfaces. Additionally, organizations should enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing Ivanti portals. User awareness training should be enhanced to reduce the risk of successful phishing or social engineering attacks that could trigger exploitation. Monitoring web server logs for unusual or suspicious HTTP requests containing script tags or encoded payloads can help detect attempted exploitation. Finally, review and harden input validation and output encoding practices in custom integrations or extensions interfacing with Ivanti products to minimize injection risks.