SSRF in Ivanti Connect Secure before 22.7R2.9 or 22.8R2, Ivanti Policy Secure before 22.7R1.6, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to enumerate internal services.
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Connect_secure | Ivanti | * | 22.7 (excluding) |
| Connect_secure | Ivanti | 22.7 (including) | 22.7 (including) |
| Connect_secure | Ivanti | 22.7-r1 (including) | 22.7-r1 (including) |
| Connect_secure | Ivanti | 22.7-r1.1 (including) | 22.7-r1.1 (including) |
| Connect_secure | Ivanti | 22.7-r1.2 (including) | 22.7-r1.2 (including) |
| Connect_secure | Ivanti | 22.7-r1.3 (including) | 22.7-r1.3 (including) |
| Connect_secure | Ivanti | 22.7-r1.4 (including) | 22.7-r1.4 (including) |
| Connect_secure | Ivanti | 22.7-r1.5 (including) | 22.7-r1.5 (including) |
| Connect_secure | Ivanti | 22.7-r2 (including) | 22.7-r2 (including) |
| Connect_secure | Ivanti | 22.7-r2.1 (including) | 22.7-r2.1 (including) |
| Connect_secure | Ivanti | 22.7-r2.2 (including) | 22.7-r2.2 (including) |
| Connect_secure | Ivanti | 22.7-r2.3 (including) | 22.7-r2.3 (including) |
| Connect_secure | Ivanti | 22.7-r2.4 (including) | 22.7-r2.4 (including) |
| Connect_secure | Ivanti | 22.7-r2.5 (including) | 22.7-r2.5 (including) |
| Connect_secure | Ivanti | 22.7-r2.6 (including) | 22.7-r2.6 (including) |
| Connect_secure | Ivanti | 22.7-r2.7 (including) | 22.7-r2.7 (including) |
| Connect_secure | Ivanti | 22.7-r2.8 (including) | 22.7-r2.8 (including) |