Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 23 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti zero Trust Access Gateway
CPEs cpe:2.3:a:ivanti:connect_secure:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1.4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1.5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.4:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.5:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.6:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2.7:*:*:*:*:*:*
cpe:2.3:a:ivanti:connect_secure:22.7:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:neurons_for_secure_access:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:neurons_for_secure_access:22.8:r1.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:neurons_for_secure_access:22.8:r1.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:neurons_for_secure_access:22.8:r1.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:neurons_for_secure_access:22.8:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:r1.1:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:r1.2:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:r1.3:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:r1.4:*:*:*:*:*:*
cpe:2.3:a:ivanti:policy_secure:22.7:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:zero_trust_access_gateway:22.8:r2.2:*:*:*:*:*:*
Vendors & Products Ivanti zero Trust Access Gateway

Tue, 12 Aug 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti connect Secure
Ivanti neurons For Secure Access
Ivanti policy Secure
Ivanti zta Gateway
Vendors & Products Ivanti
Ivanti connect Secure
Ivanti neurons For Secure Access
Ivanti policy Secure
Ivanti zta Gateway

Tue, 12 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk.
Weaknesses CWE-61
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2025-08-12T18:58:34.165Z

Reserved: 2025-06-02T12:18:33.865Z

Link: CVE-2025-5468

cve-icon Vulnrichment

Updated: 2025-08-12T18:58:29.965Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-12T15:15:31.280

Modified: 2025-09-23T18:17:23.940

Link: CVE-2025-5468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-12T19:53:14Z