🎯Basically, Ivanti found flaws in its software that could let hackers steal user information.
What Happened
Ivanti has announced security updates to address two medium-severity vulnerabilities in its Ivanti Neurons for ITSM (N-ITSM) platform. These vulnerabilities could allow remote authenticated attackers to gain unauthorized access or harvest session data from other users. Although the company confirmed no active exploitation has been observed, the risks associated with these flaws necessitate immediate attention from users.
The Flaws
CVE-2026-4913: Improper Path Protection
The first vulnerability, CVE-2026-4913, has a CVSS score of 5.7 and is categorized under CWE-424 (Protection Mechanism Failure). This flaw arises from improper protection of an alternate path in N-ITSM versions prior to 2025.4. A remote authenticated attacker could exploit this vulnerability to maintain access to the system even after their account has been disabled by an administrator. This is particularly concerning in enterprise environments where prompt access revocation is critical during insider threat incidents.
CVE-2026-4914: Stored XSS Vulnerability
The second flaw, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability with a CVSS score of 5.4, classified under CWE-79. This vulnerability allows a remote authenticated attacker to inject malicious scripts that execute in the context of other users’ sessions. Exploiting this flaw could enable an attacker to capture sensitive information, including session tokens and credentials, from other user sessions. This attack requires user interaction, meaning a victim must access the malicious content for the exploit to succeed.
Who's Affected
Both vulnerabilities affect Ivanti Neurons for ITSM version 2025.3 and all prior releases, applicable to both on-premise and cloud deployments.
What You Should Do
Ivanti urges all on-premise customers to upgrade to version 2025.4 immediately. This version addresses both vulnerabilities and is available through the Ivanti License System (ILS). For cloud customers, the fix has already been applied to all environments as of December 12, 2025. Organizations running older versions should prioritize the upgrade, especially given the access-retention risk posed by CVE-2026-4913.
No indicators of compromise are currently available since no public exploitation has been noted. However, organizations are advised to remain vigilant and monitor for any unusual activities in their systems.
🔒 Pro insight: The improper path protection flaw reveals significant gaps in session management that could be exploited in high-stakes environments.
