Ivanti Neurons ITSM Vulnerabilities Expose Session Persistence Risks
A recently disclosed set of vulnerabilities in Ivanti Neurons for IT Service Management (ITSM) has raised significant concerns regarding the security of enterprise systems. Identified as CVE-2026-4913 and CVE-2026-4914, these flaws could potentially allow attackers to maintain unauthorized access to systems even after administrative actions, such as account deactivation, have been taken.
Overview of the Vulnerabilities
Ivanti has issued a security advisory detailing these vulnerabilities, which could enable remote authenticated attackers to hijack user sessions or persist in them. This poses a serious risk, as it allows unauthorized access to sensitive information and operational data within the ITSM environment. The vulnerabilities affect both on-premises and cloud deployments running version 2025.3 and earlier. Notably, Ivanti has stated that, as of April 14, 2026, there is no evidence of active exploitation in real-world attacks.
In its advisory, Ivanti confirmed that it is unaware of any customers being exploited due to these vulnerabilities at the time of disclosure. The vulnerabilities were identified through a responsible disclosure program, highlighting the importance of proactive security measures in the industry.
Technical Breakdown of ITSM Vulnerabilities
The two vulnerabilities, CVE-2026-4913 and CVE-2026-4914, exhibit distinct behaviors but share a common reliance on some level of authenticated access or user interaction.
CVE-2026-4913: Session Persistence After Account Deactivation
CVE-2026-4913 is classified as an “improper protection of an alternate path” vulnerability (CWE-424). It affects versions of Ivanti Neurons for ITSM prior to 2025.4 and carries a CVSS score of 5.7 (Medium). The vulnerability allows a remote authenticated attacker to retain access to the system even after their account has been disabled. This means that users with previously valid credentials could continue to interact with the platform through an alternate access path, effectively bypassing expected session termination controls.
CVE-2026-4914: Stored XSS and Session Data Exposure
CVE-2026-4914 is a stored cross-site scripting (XSS) vulnerability (CWE-79) with a CVSS score of 5.4 (Medium). This flaw allows a remote authenticated attacker to inject malicious scripts that may execute in another user’s session, provided user interaction occurs. Successful exploitation could lead to limited information disclosure from other sessions, posing a risk to sensitive operational data within the ITSM environment.
Affected Versions and Fix Timeline
Both vulnerabilities impact Ivanti Neurons for ITSM version 2025.3 and earlier across various deployment models:
- On-premise deployments: Versions 2025.3 and prior are affected, with fixes available in version 2025.4 via the Ivanti License System (ILS).
- Cloud deployments: Versions 2025.3 and earlier were also impacted; however, Ivanti applied fixes automatically to all cloud environments on December 12, 2025.
The patched release, version 2025.4, addresses both CVE-2026-4913 and CVE-2026-4914.
Mitigation Guidance for Ivanti Neurons Users
To mitigate exposure to these vulnerabilities, Ivanti recommends that organizations update their systems to version 2025.4 as soon as possible. The steps for mitigation differ depending on the deployment type:
- Cloud customers: No action is required, as Ivanti has already implemented the necessary fixes across hosted environments.
- On-premises deployments: Administrators and security teams must manually log into the Ivanti License System and apply the 2025.4 update without delay.
Detection and Support Considerations
Currently, Ivanti has not identified any indicators of compromise associated with these vulnerabilities, primarily due to the absence of known exploitation. Consequently, organizations may lack specific forensic markers to determine whether their systems were targeted.
For organizations requiring assistance, Ivanti recommends submitting a support request through its Success Portal to address any concerns related to Ivanti Neurons, CVE-2026-4913, or CVE-2026-4914.
For further details, refer to the original reporting source: thecyberexpress.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
