Ivanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions - CyberSecurityNews

HomeCyber Security News Ivanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions By Guru Baran April 14, 2026 Ivanti has released security updates addressing two medium-severity vulnerabilities in Ivanti Neurons for ITSM (N-ITSM), its on-premise IT service management platform. The flaws, if exploited, could allow remote authenticated attackers to retain unauthorized access or harvest session data from other users. The company confirmed it is not aware of any active exploitation of either vulnerability at the time of public disclosure. Both issues were reported through Ivanti’s responsible disclosure program and are patched in the newly released version 2025.4. CVE-2026-4913: Improper Path Protection Flaw The first vulnerability, CVE-2026-4913, has a CVSS score of 5.7 (Medium) and is classified under CWE-424 (Protection Mechanism Failure). The flaw stems from improper protection of an alternate path in Ivanti N-ITSM versions prior to 2025.4. A remote authenticated attacker could exploit this vulnerability to retain access to the system even after their account has been disabled by an administrator. This type of bypass is particularly dangerous in enterprise environments where revoking access promptly, especially during insider threat incidents or employee offboarding, is a critical security control. The vulnerability is network accessible, requires low privileges, and requires user interaction to trigger, contributing to its medium severity rating. CVE-2026-4914: Stored XSS Enables Cross-Session Data Theft The second flaw, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability with a CVSS score of 5.4 (Medium), classified under CWE-79. In Ivanti N-ITSM versions prior to 2025.4, the vulnerability allows a remote, authenticated attacker to inject malicious scripts that execute in the context of other users’ sessions. By exploiting this flaw, an attacker could obtain limited information from other user sessions, potentially capturing session tokens, credentials, or sensitive ITSM data. The attack requires user interaction, meaning a victim must access the maliciously crafted content for the exploit to succeed. The vulnerability’s cross-scope impact (S:C in the CVSS vector) indicates effects can extend beyond the immediate session. Both vulnerabilities affect Ivanti Neurons for ITSM version 2025.3 and all prior releases, across both on-premise and cloud deployments. On-premise customers must manually upgrade to version 2025.4, available through the Ivanti License System (ILS). Cloud customers require no action, as Ivanti applied the fix to all cloud environments on December 12, 2025. Ivanti urges all on-premise customers to apply the 2025.4 update immediately. No indicators of compromise are currently available, as no public exploitation has been observed. Organizations running older versions should treat the upgrade as a priority, particularly given the access-retention risk posed by CVE-2026-4913 in environments with strict access control policies. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android Backdoors DigiCert Hacked via Weaponized Screensaver File to Obtain EV Code Signing Certificates Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released Google Chrome 148 Released with Fix for 127 Security Vulnerabilities – Update Now! Hackers Abuse Google Ads to Steal Users GoDaddy ManageWP login Credentials Latest News Cyber Attack News Hackers Leveraged Hugging Face and ClawHub With 575+ Malicious Skills to Deploy Malware Cyber Security News Fake Moustache Bypasses Age Verification System Raising Online Safety Act Concerns Cyber Security News New Infostealer Campaign Uses GitHub Releases for Payload Hosting and Evasion Cyber Security News Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan Cyber Security News DarkMoon AI-Powered Autonomous Penetration Testing Platform With 50+ Tools