Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.
AnalysisAI
Ivanti Neurons for ITSM before version 2025.4 allows authenticated attackers to retain access to disabled accounts via an unprotected alternate authentication path, enabling persistent unauthorized information disclosure. The vulnerability affects both on-premise and cloud deployments and requires user interaction (UI:R), limiting but not eliminating real-world risk in multi-user environments where account disablement is a critical security control.
Technical ContextAI
The vulnerability stems from improper path protection (CWE-424), a design flaw where an alternate authentication mechanism bypasses the standard account lifecycle management controls. Ivanti Neurons for ITSM is a service management platform that implements identity and access controls; when an administrator disables a user account through the primary interface, this alternate path fails to honor that disabled state, allowing the user to authenticate and retain system access. The issue affects both on-premise deployments (cpe:2.3:a:ivanti:neurons_for_itsm_(on-premise):*) and cloud-hosted instances (cpe:2.3:a:ivanti:neurons_for_itsm_(cloud):*), indicating a common architectural flaw rather than environment-specific misconfiguration.
RemediationAI
Vendor-released patch: Upgrade Ivanti Neurons for ITSM to version 2025.4 or later. Organizations unable to patch immediately should implement compensating controls: restrict network access to the Neurons for ITSM interface via firewall or VPN to trusted IP ranges, enforce multi-factor authentication for all service management accounts, and conduct an immediate audit of disabled accounts for any remaining active sessions or tokens. Review administrator logs for any authentication attempts from disabled accounts post-disablement. The official Ivanti security advisory at https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US contains patch delivery timelines and detailed configuration guidance for both on-premise and cloud customers.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-424 – Improper Protection of Alternate Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22278