Ivanti has released security updates to address two vulnerabilities in its Neurons for ITSM platform, highlighting ongoing concerns around enterprise software security. The flaws, identified as medium severity, affect both on-premises and cloud deployments and could expose organizations to unauthorized access and data risks if left unpatched.
The first vulnerability, tracked as CVE-2026-4913 with a CVSS score of 5.7, relates to improper protection of an alternate path. This flaw could allow a remote authenticated attacker to retain access to the system even after their account has been disabled, raising concerns about persistent access and insider threat scenarios.
The second issue, CVE-2026-4914 with a CVSS score of 5.4, is a stored cross-site scripting vulnerability. If exploited, it could enable attackers to inject malicious scripts and access limited information from other user sessions, potentially exposing sensitive data such as session details or user activity.
Ivanti noted that successful exploitation of these vulnerabilities requires authentication and, in some cases, user interaction, which reduces the immediate risk level. However, the potential impact on enterprise environments remains significant, particularly in scenarios involving compromised user accounts or insufficient access controls.
Both vulnerabilities have been resolved in Ivanti Neurons for ITSM version 2025.4, and the company has urged customers to update their systems as soon as possible. For cloud users, the fixes were automatically applied on December 12, 2025, meaning no additional action is required on their part.
Ivanti also stated that it is not aware of any active exploitation of these vulnerabilities in the wild at the time of disclosure. The update is part of the company’s regular security patch cycle, reinforcing the importance of timely updates and proactive vulnerability management in safeguarding enterprise IT systems.
