vulnerability
Pulse Secure Pulse Connect Secure: September Security Advisory Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access (Multiple CVEs)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Sep 9, 2025 | Sep 16, 2025 | Mar 26, 2026 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Sep 9, 2025
Added
Sep 16, 2025
Modified
Mar 26, 2026
Description
Reflected text injection in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response. User interaction is required.
Solutions
pulse-secure-pulse-connect-secure-upgrade-22_7r2_9pulse-secure-pulse-connect-secure-upgrade-22_8r2
References
- CVE-2025-55143
- https://attackerkb.com/topics/CVE-2025-55143
- https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-27282
- CWE-79
- EUVD-EUVD-2025-27282
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.