A newly disclosed set of ITSM vulnerabilities in Ivanti Neurons has been reported. The flaws could allow attackers to retain access to enterprise systems under certain conditions. The issues, tracked as CVE-2026-4913 and CVE-2026-4914, affect Ivanti’s Neurons for IT Service Management (ITSM) platform.
Ivanti recently published the security advisory outlining these two vulnerabilities. These flaws could enable remote authenticated attackers to hijack or persist in user sessions, potentially maintaining unauthorized access even after administrative actions such as account deactivation.
The vulnerabilities affect both on-premises and cloud deployments running version 2025.3 and earlier. While the risks are notable, Ivanti stated that, at the time of disclosure on April 14, 2026, there is no evidence to suggest active exploitation in real-world attacks.
In its advisory, the company noted: “We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.” The vulnerabilities were identified and reported through a responsible disclosure program.
Technical Breakdown of ITSM Vulnerabilities
The two vulnerabilities, CVE-2026-4913 and CVE-2026-4914, have distinct behaviors but share a reliance on some level of authenticated access or user interaction.
CVE-2026-4913: Session Persistence After Account Deactivation
The first flaw, CVE-2026-4913, is classified as an “improper protection of an alternate path” vulnerability (CWE-424). It affects Ivanti Neurons for ITSM versions prior to 2025.4 and carries a CVSS score of 5.7 (Medium), with the vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.
This vulnerability allows a remote authenticated attacker to retain access to the system even after their account has been disabled. In practice, this could enable a user with previously valid credentials to continue interacting with the platform through an alternate access path, bypassing expected session termination controls.
CVE-2026-4914: Stored XSS and Session Data Exposure
The second issue, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability (CWE-79) with a CVSS score of 5.4 (Medium). Its vector is:
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
This flaw allows a remote authenticated attacker to inject malicious scripts that may execute in another user’s session, provided user interaction occurs. Successful exploitation could result in limited information disclosure from other sessions, posing a risk to sensitive operational data within the ITSM environment.
Affected Versions and Fix Timeline
Both vulnerabilities impact Ivanti Neurons for ITSM version 2025.3 and earlier across deployment models:
- On-premise deployments: Versions 2025.3 and prior are affected, with fixes available in version 2025.4 via the Ivanti License System (ILS).
- Cloud deployments: Versions 2025.3 and earlier were also impacted; however, Ivanti applied fixes automatically to all cloud environments on December 12, 2025.
The patched release, version 2025.4, addresses both CVE-2026-4913 and CVE-2026-4914.
Mitigation Guidance for Ivanti Neurons Users
To reduce exposure to these vulnerabilities, Ivanti recommends that organizations update their systems to version 2025.4 as soon as possible. The mitigation steps differ depending on the deployment type.
For cloud customers using Ivanti Neurons, no action is required, as the company has already implemented the necessary fixes across hosted environments. This proactive update ensures that cloud users are protected against both CVE-2026-4913 and CVE-2026-4914.
In contrast, organizations running on-premises deployments must take manual action. Administrators and security teams are advised to log into the Ivanti License System and apply the 2025.4 update without delay.
Detection and Support Considerations
At present, Ivanti has not identified any indicators of compromise associated with these vulnerabilities, largely due to the absence of known exploitation. As a result, organizations may not have specific forensic markers to determine whether their systems were targeted.
For organizations requiring assistance, Ivanti recommends submitting a support request through its Success Portal to address any concerns related to Ivanti Neurons, CVE-2026-4913, or CVE-2026-4914.
