Ivanti Products Reflected Text Injection Vulnerability

A reflected text injection vulnerability has been identified in multiple Ivanti products, including Ivanti Connect Secure versions prior to 22.7R2.9 or 22.8R2, Ivanti Policy Secure versions prior to 22.7R1.6, Ivanti ZTA Gateway versions prior to 2.8R2.3-723, and Ivanti Neurons for Secure Access versions prior to 22.8R1.4. This vulnerability allows a remote unauthenticated attacker to inject arbitrary text into a crafted HTTP response, requiring user interaction to exploit.

Impact

Exploitation of this vulnerability allows for reflected text injection, where an attacker can inject arbitrary text into an HTTP response. This could potentially be used for cross-site scripting (XSS) attacks, depending on the context in which the injected text is displayed.

Remediation

Users of Ivanti Connect Secure should update to version 22.7R2.9 or 22.8R2. Users of Ivanti Policy Secure should update to version 22.7R1.5. For Ivanti ZTA Gateways, version 22.8R2.3-723 is available in the controller for download. Ivanti Neurons for Secure Access has already applied the fix in cloud environments as of August 2, 2025.