Ivanti ITSM Vulnerability Could Grant Attackers Admin Access

Ivanti has released fixes for a high‑severity vulnerability in Ivanti Neurons for ITSM that can let an authenticated, low‑privileged user escalate to full administrative access.

Tracked as CVE-2026-9614 and rated 8.8 (CVSS 3.1), the issue stems from insufficient authorization checks that allow attackers to bypass role‑based access controls. Both cloud and on‑premises deployments are affected.

Ivanti ITSM Vulnerability

The flaw is an improper access control issue (CWE-284). A remote attacker who already has a low‑privileged authenticated account can exploit the vulnerability without any additional user interaction.

The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attackability, low complexity, no required user interaction, and high impact to confidentiality, integrity, and availability. Successful exploitation can yield full administrative control of the Ivanti ITSM instance.

An attacker with admin privileges could read or modify sensitive configuration, change or disable workflows, and potentially move laterally into other systems that depend on ITSM for automation and orchestration. Because ITSM platforms centrally manage IT operations, compromise can provide a resilient foothold for persistent intrusion.

Affected Versions and Fixes

On‑premises: Ivanti Neurons for ITSM versions 2025.4 and earlier are affected. Ivanti published patched builds: 2025.4 Patch 1, 2025.3 Patch 1, and 2025.2 Patch 1.

Cloud: Affected through cloud versions 2026.1 and prior. Ivanti applied service updates automatically; cloud fixes appear in versions 2026.1 Patch 9 and 2026.2 Patch 1, rolled out between May 24–25, 2026.

Affected (on‑prem): 2025.2, 2025.3, 2025.4 — Fixed: 2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1

Affected (cloud): ≤ 2026.1 — Fixed: 2026.1 Patch 9, 2026.2 Patch 1 (auto‑applied May 24–25, 2026)

Recommended Actions

• Apply patches immediately for on‑premises deployments. Install the listed Patch 1 releases for any affected 2025.x installations.
• Verify cloud tenants were updated between May 24–25, 2026; contact Ivanti support if your environment shows an earlier cloud build.
• Restrict administrative interfaces: limit network exposure to management consoles using IP allowlists, VPNs, or private network routing.
• Monitor and audit: review access logs, privileged‑account activity, configuration change history, and workflow edits for anomalies indicative of privilege escalation.
• Review and harden RBAC: ensure least privilege for service and user accounts, and rotate credentials used by automation or integrations.
• Prepare incident response: collect relevant logs and snapshots before and after patching, and be ready to investigate any suspicious privileged actions prior to remediation.