Ivanti has published an out-of-band security advisory for a high-severity vulnerability in its widely-used Ivanti Neurons for ITSM platform. Tracked as CVE-2026-9614 with a CVSS score of 8.8, the flaw allows a remote authenticated attacker to escalate their privileges and gain full administrative access to the ITSM environment — without requiring any user interaction.
The vulnerability affects both cloud and on-premises deployments and stems from improper access control, categorized under CWE-284. Given how central ITSM platforms are to enterprise IT operations — managing ticketing, asset tracking, change management, and automation workflows — unauthorized admin access represents a serious security risk.
Vulnerability Details
According to Ivanti’s advisory, an attacker with valid but low-level credentials can exploit CVE-2026-9614 over the network with low complexity and no user interaction required. The CVSS vector confirms the potential for significant impact across confidentiality, integrity, and availability.
In practical terms, this means an attacker who has obtained even a basic user account — through credential theft, phishing, or a separate breach — can immediately escalate to administrator level within the ITSM system. From there, they could:
- Modify user roles and access permissions across the organization
- Access sensitive IT asset data, ticket histories, and change records
- Create persistent backdoor accounts for ongoing access
- Manipulate automation workflows and integrations with other enterprise systems
- Disrupt IT operations by altering or deleting service management configurations
Affected Versions
The vulnerability impacts on-premises versions 2025.4 and earlier. Ivanti has released patches to address the issue:
- Version 2025.4 Patch 1 — primary fix
- Version 2025.3 Patch 1 — backported fix
- Version 2025.2 Patch 1 — backported fix
Patches are available through the Ivanti License System portal. Organizations running affected versions are strongly advised to update immediately.
Cloud Customers Already Protected
For cloud customers, Ivanti has already applied fixes across all environments. The patches were deployed during updates rolled out on May 24 and 25, in versions 2026.1 Patch 9 and 2026.2 Patch 1. Ivanti later issued additional updates to resolve a separate logging issue affecting IP address tracking — though this secondary bug is unrelated to the core CVE-2026-9614 vulnerability.
Exploitation Status
At the time of disclosure, Ivanti stated there is no evidence of active exploitation in the wild and no publicly available indicators of compromise. However, given the ease of exploitation (low complexity, authenticated-only requirement) and the high CVSS score, the company issued the advisory on an out-of-band basis to accelerate remediation before threat actors can develop working exploits.
Security history suggests that high-severity Ivanti vulnerabilities often attract rapid exploitation attempts once disclosed. Organizations should not treat the current lack of reported exploitation as a reason to delay patching.
Recommended Actions
All organizations using Ivanti Neurons for ITSM should take the following steps immediately:
- Apply the available patches for your deployed version via the Ivanti License System portal
- Audit role-based access controls to ensure administrative privileges are restricted to intended users only
- Review recently created user accounts and privilege assignments for signs of unauthorized changes
- Enable detailed audit logging within the ITSM platform and monitor for anomalous privilege escalation attempts
- Enforce least-privilege principles — limit the number of accounts with elevated permissions
Ivanti has faced significant scrutiny in recent years over vulnerabilities in its product line, and this disclosure underscores the importance of maintaining a robust patch management process for all ITSM and remote access tools. Given the privileged access these platforms have into enterprise environments, they represent high-value targets for both cybercriminals and nation-state actors.
Organizations that cannot immediately apply patches should consider implementing additional network-level controls to restrict access to the ITSM platform and closely monitor for suspicious authentication events until a patch can be deployed.