CVE-2025-5450

Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ivanti:connect_secure::::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:-::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.2::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.3::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.4::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r1.5::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.1::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.2::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.3::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.4::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.5::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.6::::::
	cpe:2.3:a:ivanti:connect_secure:22.7:r2.7::::::
	cpe:2.3:a:ivanti:policy_secure::::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:-::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1.1::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1.2::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1.3::::::
	cpe:2.3:a:ivanti:policy_secure:22.7:r1.4::::::

History

15 Jul 2025, 13:23

Type	Values Removed	Values Added
References	~~() https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs -~~	() https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Multiple-CVEs - Vendor Advisory
CPE		cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:::::: cpe:2.3:a:ivanti:connect_secure:::::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1:::::: cpe:2.3:a:ivanti:policy_secure:22.7:-:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.6:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1.4:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.7:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2:::::: cpe:2.3:a:ivanti:policy_secure:::::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:::::: cpe:2.3:a:ivanti:connect_secure:22.7:-:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1.3:::::: cpe:2.3:a:ivanti:policy_secure:22.7:r1:::::: cpe:2.3:a:ivanti:connect_secure:22.7:r2.5::::::
Summary		(es) El control de acceso inadecuado en el componente de administración de certificados de Ivanti Connect Secure anterior a la versión 22.7R2.8 y de Ivanti Policy Secure anterior a la versión 22.7R1.5 permite que un administrador autenticado remoto con derechos de solo lectura modifique configuraciones que deberían estar restringidas.
First Time		Ivanti connect Secure Ivanti Ivanti policy Secure

08 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-08 15:15

Updated : 2025-07-15 13:23

NVD link : CVE-2025-5450

Mitre link : CVE-2025-5450

CVE.ORG link : CVE-2025-5450

JSON object : View

Products Affected

ivanti

policy_secure
connect_secure

CWE

CWE-602

Client-Side Enforcement of Server-Side Security

6.3 /10