Skip to main content

Ivanti Neurons ITSM CVE-2026-9614

| EUVDEUVD-2026-33736 HIGH
Improper Access Control (CWE-284)
2026-06-01 ivanti GHSA-x7fw-vc93-jg9v
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 19:20 vuln.today

DescriptionCVE.org

An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

AnalysisAI

Privilege escalation to administrative access in Ivanti Neurons for ITSM (both cloud and on-premises deployments) allows a remote authenticated attacker to bypass access controls and obtain admin-level permissions. The flaw carries a CVSS 8.8 rating with low attack complexity, and Ivanti has published a security advisory; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Ivanti Neurons for ITSM is an IT service management platform offered in both SaaS (cloud) and customer-hosted (on-premises) editions, used for ticketing, asset, and workflow management with role-based access controls separating standard users from administrators. The root cause is classified as CWE-284 (Improper Access Control), meaning the application fails to correctly enforce authorization checks on a privileged function or resource, letting an already-authenticated low-privilege account perform actions reserved for administrators. The two affected CPEs - cpe:2.3:a:ivanti:neurons_for_itsm_(on-premises) and cpe:2.3:a:ivanti:neurons_for_itsm_(cloud) - indicate the defect resides in shared application logic rather than a deployment-specific component, and the 'Authentication Bypass' tag suggests the broken control may be an authorization decision invoked after login rather than the login mechanism itself.

RemediationAI

Patch available per vendor advisory - administrators of on-premises Neurons for ITSM should consult https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614 to identify and deploy the fixed build for their currently installed version; cloud-edition tenants are remediated by Ivanti and should confirm their tenant has been updated. Until patching is complete, restrict network reachability of the ITSM web interface to trusted management networks or VPN, tighten provisioning so that low-privilege accounts are not created unnecessarily and disable any inactive accounts, and enforce MFA on all ITSM logins to raise the cost of obtaining the authenticated foothold the exploit requires. Increase monitoring of audit logs for unexpected role changes, privilege grants, or administrative actions originating from non-admin accounts, accepting that these controls reduce but do not eliminate exposure for any user who already holds valid credentials.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-9614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy