Ivanti Neurons for ITSM Vulnerability Lets Authenticated Attackers Gain Admin Access
8 min. read 
Published on
Ivanti has fixed a high-severity vulnerability in Ivanti Neurons for ITSM that could allow a remote authenticated attacker to gain administrative access to the platform.
The flaw, tracked as CVE-2026-9614, affects both cloud and on-premises deployments. It has a CVSS 3.1 score of 8.8 and stems from improper access control, meaning an attacker with limited valid credentials could escalate privileges without user interaction.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Ivanti said in its June 2026 security update that it was not aware of any customers being exploited through the vulnerability at the time of publication. Even so, administrators should apply the available fixes quickly because successful exploitation can expose sensitive IT service data and administrative controls.
Why this Ivanti ITSM flaw matters
Ivanti Neurons for ITSM is used by enterprises to manage IT service workflows, support tickets, incidents, requests, assets, change management, automation, dashboards, and related service operations.
The official Ivanti Neurons for ITSM product page describes the platform as a service management solution that can support help desk workflows, automation, ITIL processes, dashboards, integrations, and role-based access controls.
Administrative access to such a platform can carry serious impact. An attacker who gains admin privileges could review tickets, alter workflows, change user roles, access sensitive records, manipulate integrations, and create persistence inside a system that IT teams rely on every day.
| Vulnerability detail | Information |
|---|---|
| CVE | CVE-2026-9614 |
| Product | Ivanti Neurons for ITSM |
| Deployment types | Cloud and on-premises |
| Severity | High, CVSS 8.8 |
| Weakness type | Improper access control, CWE-284 |
| Attack requirements | Remote access and valid low-privilege credentials |
| Main impact | Administrative access to the ITSM environment |
How CVE-2026-9614 can be exploited
The vulnerability allows a remote authenticated attacker to gain administrator-level access. This means the attacker first needs valid credentials, but those credentials do not need to belong to an administrator.
The NVD entry lists the CVSS vector as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attack can run over the network, has low attack complexity, requires low privileges, and does not require user interaction.
That combination makes the flaw especially important in environments where attackers may already have compromised a help desk account, contractor account, service account, or other low-privilege user account.
Affected Ivanti Neurons for ITSM versions
On-premises users need to pay close attention to their exact version and patch level. The CERT-FR advisory lists affected on-premises versions as 2025.2 before 2025.2 Patch 1, 2025.3 before 2025.3 Patch 1, and 2025.4 before 2025.4 Patch 1.
Cloud customers also appear in the affected product list, but Ivanti has already deployed fixes to cloud environments. CERT-FR lists affected cloud versions as 2026.1 before 2026.1 Patch 9 and 2026.2 before 2026.2 Patch 1.
The Canadian Centre for Cyber Security also issued an Ivanti security advisory, urging administrators to review Ivanti’s guidance and apply the necessary updates.
| Deployment | Affected versions | Fixed versions |
|---|---|---|
| Cloud | 2026.1 before Patch 9 | 2026.1 Patch 9 |
| Cloud | 2026.2 before Patch 1 | 2026.2 Patch 1 |
| On-premises | 2025.2 before Patch 1 | 2025.2 Patch 1 |
| On-premises | 2025.3 before Patch 1 | 2025.3 Patch 1 |
| On-premises | 2025.4 before Patch 1 | 2025.4 Patch 1 |
Cloud customers have already received fixes
Ivanti said cloud fixes were deployed during updates for 2026.1 Patch 9 and 2026.2 Patch 1. Cloud customers should still verify their environment status and review administrative access for unusual changes.
Ivanti also said later updates addressed a separate logging issue related to IP address tracking. That logging issue is separate from CVE-2026-9614 and should not be confused with the privilege escalation flaw.
The Ivanti update says on-premises customers should review the advisory and apply the fix as soon as possible. Those users carry the highest immediate patching responsibility because they control their own deployment and maintenance schedule.
Why admin access to ITSM is high impact
ITSM platforms often contain sensitive operational data. Tickets may include internal troubleshooting notes, employee details, asset records, credentials pasted by mistake, configuration details, vulnerability references, outage history, and third-party support conversations.
They also connect to other systems. The Ivanti product page notes integration capabilities with enterprise platforms across HR, project management, security operations, endpoint management, asset management, and other IT workflows.
If an attacker gains admin access, they could use the ITSM platform as a visibility hub. They could also alter workflows, change approvals, create accounts, review incident data, or misuse integrations depending on the deployment.
No public indicators of compromise are available
Ivanti said it had no evidence of customer exploitation at disclosure time. The sample advisory also notes that there are no public indicators of compromise associated with the vulnerability.
That does not remove the need for investigation. A privilege escalation flaw may leave traces in application logs, user role changes, administrative activity, session history, integration events, or unusual workflow changes rather than a simple file hash or network indicator.
Administrators should compare current admin accounts and role assignments against a known-good baseline. They should also review recent changes made by low-privilege accounts, especially around roles, permissions, automations, dashboards, API access, and integrations.
What administrators should do now
On-premises customers should update to the relevant patched release immediately. They should obtain the update through Ivanti’s official customer channels and confirm that the patch level matches their deployment branch.
The Canadian Cyber Centre advisory lists Ivanti Neurons for ITSM on-premises 2025.4 and prior, and cloud 2026.1 and prior, as affected product families in its summary. CERT-FR provides the more granular patch-level breakdown.
Security teams should also review access controls after patching. The flaw falls under improper access control, so a role and permission audit can help identify unexpected privilege changes or risky configurations that could increase damage from account compromise.
- Apply Ivanti Neurons for ITSM 2025.2 Patch 1, 2025.3 Patch 1, or 2025.4 Patch 1 for on-premises deployments.
- Confirm cloud environments are on 2026.1 Patch 9 or 2026.2 Patch 1.
- Review all administrator accounts and role assignments.
- Audit recent role changes, user creation events, and permission changes.
- Review access by low-privilege users for unusual administrative actions.
- Check API tokens, integrations, automation workflows, and service accounts.
- Enforce multifactor authentication for ITSM users, especially administrators.
- Restrict ITSM admin access to trusted networks or managed access paths where possible.
How security teams should investigate possible abuse
Because exploitation requires authentication, defenders should look for signs that an attacker used a legitimate account before escalating. Compromised credentials, weak passwords, reused passwords, and exposed service accounts can all increase risk.
The CERT-FR notice describes the risk as a security policy bypass. That framing fits the likely investigation path: look for actions that a normal low-privilege user should not have been able to perform.
Useful logs may include login events, session changes, account updates, role assignments, administrative workflow edits, API calls, integration changes, and audit records tied to business object permissions.
| Investigation area | What to review | Why it matters |
|---|---|---|
| User accounts | New admins, disabled accounts reenabled, unusual role changes | Can reveal privilege escalation or persistence |
| Authentication logs | New locations, odd session times, repeated low-privilege logins | Can show initial account compromise |
| API and integrations | New tokens, changed connectors, unusual automation edits | Attackers may use integrations to maintain access or move data |
| Ticket and workflow changes | Approval edits, routing changes, hidden tasks, deleted records | Admin access can alter operational processes |
| Audit logs | Actions by users who should not have admin rights | Helps identify the privilege boundary failure in practice |
Why privilege escalation bugs in ITSM tools are serious
ITSM systems sit close to the operational center of many organizations. They track incidents, assets, service requests, approvals, changes, and internal support activity.
That makes administrator access valuable to attackers. A compromised ITSM admin account can help them learn how the environment works, identify high-value systems, view incident response activity, and interfere with support workflows.
The issue also shows why SaaS and on-premises security responsibilities differ. Vendors can patch cloud services directly, but on-premises customers must schedule, test, and install updates in their own environments.
Bottom line for Ivanti Neurons for ITSM users
CVE-2026-9614 is a high-severity privilege escalation vulnerability, not an unauthenticated remote code execution flaw. However, its impact remains serious because successful exploitation can give a low-privilege authenticated attacker administrative access.
On-premises customers should patch immediately. Cloud customers should verify their environment received the fixed release and still review audit logs for suspicious role or permission changes.
The safest response is straightforward: patch, audit privileged users, review role-based access controls, and treat unusual administrative activity by low-privilege accounts as a high-priority event.
FAQ
CVE-2026-9614 is an improper access control vulnerability in Ivanti Neurons for ITSM that can allow a remote authenticated attacker to gain administrative access.
No. CVE-2026-9614 has a CVSS 3.1 score of 8.8, which rates it as High severity. It is still urgent because it can allow administrator-level access.
Yes. The attacker needs valid low-privilege credentials. The vulnerability can then allow that authenticated attacker to escalate to administrator access without user interaction.
Affected versions include on-premises 2025.2 before Patch 1, 2025.3 before Patch 1, and 2025.4 before Patch 1. Cloud versions 2026.1 before Patch 9 and 2026.2 before Patch 1 are also listed as affected.
Ivanti said it was not aware of any customers being exploited through the vulnerability at the time of publication. Administrators should still patch and review logs because no public indicators of compromise are available.
Administrators should apply the relevant Ivanti patch, verify cloud patch status, review administrator accounts, audit role assignments, check API tokens and integrations, and investigate any administrative activity by low-privilege accounts.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages