Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
AnalysisAI
Privilege escalation to administrative access in Ivanti Neurons for ITSM (both cloud and on-premises deployments) allows a remote authenticated attacker to bypass access controls and obtain admin-level permissions. The flaw carries a CVSS 8.8 rating with low attack complexity, and Ivanti has published a security advisory; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Ivanti Neurons for ITSM is an IT service management platform offered in both SaaS (cloud) and customer-hosted (on-premises) editions, used for ticketing, asset, and workflow management with role-based access controls separating standard users from administrators. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to correctly enforce authorization checks on a privileged function or resource, letting an already-authenticated low-privilege account perform actions reserved for administrators. The two affected CPEs - cpe:2.3:a:ivanti:neurons_for_itsm_(on-premises) and cpe:2.3:a:ivanti:neurons_for_itsm_(cloud) - indicate the defect resides in shared application logic rather than a deployment-specific component, and the 'Authentication Bypass' tag suggests the broken control may be an authorization decision invoked after login rather than the login mechanism itself.
RemediationAI
Patch available per vendor advisory - administrators of on-premises Neurons for ITSM should consult https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614 to identify and deploy the fixed build for their currently installed version; cloud-edition tenants are remediated by Ivanti and should confirm their tenant has been updated. Until patching is complete, restrict network reachability of the ITSM web interface to trusted management networks or VPN, tighten provisioning so that low-privilege accounts are not created unnecessarily and disable any inactive accounts, and enforce MFA on all ITSM logins to raise the cost of obtaining the authenticated foothold the exploit requires. Increase monitoring of audit logs for unexpected role changes, privilege grants, or administrative actions originating from non-admin accounts, accepting that these controls reduce but do not eliminate exposure for any user who already holds valid credentials.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33736
GHSA-x7fw-vc93-jg9v