Ivanti has recently released an update for its Neurons for ITSM platform, addressing two medium-severity vulnerabilities that impact both on-premises and cloud versions. These vulnerabilities, identified as CVE-2026-4913 and CVE-2026-4914, have been patched to enhance security and protect user data.
Details of the Vulnerabilities
The first vulnerability, CVE-2026-4913, carries a CVSS score of 5.7 and involves improper protection of an alternate path. This flaw could potentially allow a remote attacker, who is authenticated, to maintain access even if their account has been disabled. The second issue, CVE-2026-4914, is a stored cross-site scripting (XSS) vulnerability with a CVSS score of 5.4. It can be exploited remotely to gain limited access to information from other user sessions, though it requires user interaction and authentication to be successfully exploited.
Resolution and User Advisory
Both vulnerabilities have been addressed in the latest version, 2025.4, of Ivanti Neurons for ITSM. Users are strongly recommended to update to this version to safeguard their systems. Ivanti assures users of the cloud-based solution that the necessary fixes were automatically applied to all cloud environments as of December 12, 2025. Importantly, the company notes that there have been no reports of these vulnerabilities being exploited in real-world scenarios, and no other Ivanti products are affected by these issues.
Additional Security Updates
In addition to addressing these vulnerabilities, Ivanti has updated its advisory on two OpenSSH-related vulnerabilities, CVE-2025-26465 and CVE-2025-26466, which were disclosed earlier in the year. While Ivanti’s EPMM, Sentry, and Connector products remain unaffected by these flaws, an updated version of OpenSSH will be included in subsequent software releases to ensure continued security.
These updates underscore the importance of regular software maintenance and timely patch application to protect against emerging threats. Ivanti’s proactive measures in addressing these vulnerabilities highlight its commitment to maintaining robust security standards across its platforms.
