Ivanti Neurons ITSM Flaws Allow Remote User Vulnerabilities Attacker

Two medium-severity vulnerabilities in Ivanti Neurons for ITSM (N-ITSM), Ivanti’s on-premise IT service management platform, have prompted the company to release security updates.

The flaws, if exploited, could allow remote authenticated attackers to retain unauthorized access or harvest session data from other users.

The company confirmed it is not aware of any active exploitation of either vulnerability at the time of public disclosure. Both issues were reported through Ivanti’s responsible disclosure program and are patched in the newly released version 2025.4.

CVE-2026-4913: Improper Path Protection Flaw

The first vulnerability, CVE-2026-4913, has a CVSS score of 5.7 (Medium) and is classified under CWE-424 (Protection Mechanism Failure). The flaw stems from improper protection of an alternate path in Ivanti N-ITSM versions prior to 2025.4.

A remote authenticated attacker could exploit this vulnerability to retain access to the system even after their account has been disabled by an administrator.

This type of bypass is particularly dangerous in enterprise environments where revoking access promptly, especially during insider threat incidents or employee offboarding, is a critical security control.

The vulnerability is network accessible, requires low privileges, and requires user interaction to trigger, contributing to its medium severity rating.

CVE-2026-4914: Stored XSS Enables Cross-Session Data Theft

The second flaw, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability with a CVSS score of 5.4 (Medium), classified under CWE-79. In Ivanti N-ITSM versions prior to 2025.4, the vulnerability allows a remote, authenticated attacker to inject malicious scripts that execute in the context of other users’ sessions.

By exploiting this flaw, an attacker could obtain limited information from other user sessions, potentially capturing session tokens, credentials, or sensitive ITSM data.

The attack requires user interaction, meaning a victim must access the maliciously crafted content for the exploit to succeed. The vulnerability’s cross-scope impact (S:C in the CVSS vector) indicates effects can extend beyond the immediate session.

Both vulnerabilities affect Ivanti Neurons for ITSM version 2025.3 and all prior releases, across both on-premise and cloud deployments.

• On-premise customers must manually upgrade to version 2025.4, available through the Ivanti License System (ILS).
• Cloud customers require no action, as Ivanti applied the fix to all cloud environments on December 12, 2025.

Ivanti urges all on-premise customers to apply the 2025.4 update immediately. No indicators of compromise are currently available, as no public exploitation has been observed.

Organizations running older versions should treat the upgrade as a priority, particularly given the access-retention risk posed by CVE-2026-4913 in environments with strict access control policies.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.