Ivanti Neurons for ITSM Vulnerabilities Let Remote Attackers Hijack User Sessions
Ivanti has issued a security advisory detailing two medium-severity vulnerabilities affecting its Neurons for IT Service Management (ITSM) platform. These flaws could allow remote, authenticated attackers to hijack user sessions and maintain unauthorized access even after accounts are deactivated by administrators.
These vulnerabilities impact both on-premise and cloud deployments running versions 2025.3 and earlier.
Ivanti has stated that there is currently no known exploitation of these vulnerabilities in the wild.
Breakdown of the Flaws
The security update resolves two specific vulnerabilities, both of which require some level of existing access or user interaction but pose a significant risk to data integrity and access control:
- CVE-2026-4913 (CVSS 5.7): This vulnerability stems from insufficient protection of an alternate access path in the software. It enables a remote, authenticated attacker to retain access to the system even after their account has been disabled by an administrator. This “zombie access” could allow malicious insiders or compromised accounts to monitor internal processes and workflows beyond their authorized time. For further information, refer to the official Ivanti advisory.
- CVE-2026-4914 (CVSS 5.4): This is a Stored Cross-Site Scripting (XSS) vulnerability. Attackers can exploit this flaw to steal session data from other active users. Although it requires user interaction to carry out the attack, it opens a window for session hijacking and unauthorized data exposure. Learn more about this in the Ivanti advisory.
Mitigation and Patch Availability
To safeguard enterprise environments, Ivanti strongly recommends that administrators upgrade to version 2025.4, which resolves these issues.
For cloud-based deployments of Ivanti Neurons for ITSM, no immediate action is required, as Ivanti has already applied the necessary fixes to all managed environments. This proactive measure was completed on December 12, 2025, securing all hosted customers against both CVEs. For more information, visit the security advisory.
Organizations using on-premise installations must manually apply the patch. System administrators should access the Ivanti License System (ILS) portal to download and install the updated version 2025.4 patch.
Given that IT service management platforms like Neurons for ITSM are often primary targets for attackers, maintaining current patches is critical for enterprise security. Even though these vulnerabilities are rated as medium severity, adversaries frequently chain multiple low-severity flaws together to escalate privileges and move laterally within networks. Prompt patching remains one of the most effective defenses against such threats.