Ivanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions

Ivanti has released security updates addressing two medium-severity vulnerabilities in Ivanti Neurons for ITSM (N-ITSM), its on-premise IT service management platform.

The flaws, if exploited, could allow remote authenticated attackers to retain unauthorized access or harvest session data from other users.

The company confirmed it is not aware of any active exploitation of either vulnerability at the time of public disclosure. Both issues were reported through Ivanti’s responsible disclosure program and are patched in the newly released version 2025.4.

CVE-2026-4913: Improper Path Protection Flaw

The first vulnerability, CVE-2026-4913, has a CVSS score of 5.7 (Medium) and is classified under CWE-424 (Protection Mechanism Failure). The flaw stems from improper protection of an alternate path in Ivanti N-ITSM versions prior to 2025.4.

A remote authenticated attacker could exploit this vulnerability to retain access to the system even after their account has been disabled by an administrator.

This type of bypass is particularly dangerous in enterprise environments where revoking access promptly, especially during insider threat incidents or employee offboarding, is a critical security control.

The vulnerability is network accessible, requires low privileges, and requires user interaction to trigger, contributing to its medium severity rating.

CVE-2026-4914: Stored XSS Enables Cross-Session Data Theft

The second flaw, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability with a CVSS score of 5.4 (Medium), classified under CWE-79. In Ivanti N-ITSM versions prior to 2025.4, the vulnerability allows a remote, authenticated attacker to inject malicious scripts that execute in the context of other users’ sessions.

By exploiting this flaw, an attacker could obtain limited information from other user sessions, potentially capturing session tokens, credentials, or sensitive ITSM data.

The attack requires user interaction, meaning a victim must access the maliciously crafted content for the exploit to succeed. The vulnerability’s cross-scope impact (S:C in the CVSS vector) indicates effects can extend beyond the immediate session.

Both vulnerabilities affect Ivanti Neurons for ITSM version 2025.3 and all prior releases, across both on-premise and cloud deployments.

• On-premise customers must manually upgrade to version 2025.4, available through the Ivanti License System (ILS).
• Cloud customers require no action, as Ivanti applied the fix to all cloud environments on December 12, 2025.

Ivanti urges all on-premise customers to apply the 2025.4 update immediately. No indicators of compromise are currently available, as no public exploitation has been observed.

Organizations running older versions should treat the upgrade as a priority, particularly given the access-retention risk posed by CVE-2026-4913 in environments with strict access control policies.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ivanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions appeared first on Cyber Security News.