Ivanti has disclosed a high-severity improper access control vulnerability, tracked as CVE-2026-9614, in its Neurons for ITSM platform that allows a remote authenticated attacker to silently escalate privileges to full administrator level affecting both cloud and on-premises deployments worldwide.
Ivanti published an out-of-band security advisory on June 1, 2026, addressing CVE-2026-9614, a critical access control flaw in Ivanti Neurons for ITSM.
The vulnerability is classified under CWE-284 (Improper Access Control) and carries a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
This scoring reflects that the attack is network-based, requires low privileges, demands no user interaction, and yields full impact across confidentiality, integrity, and availability.
What makes this vulnerability particularly dangerous is the attack’s simplicity. A threat actor with only a basic authenticated session, a standard low-privilege user account can exploit this flaw to gain unrestricted administrative access to the ITSM environment.
Ivanti confirmed the decision to release an out-of-band emergency patch was driven by the ease of exploitation, noting that the low complexity elevated the risk to customers significantly.
CVE-2026-9614 stems from insufficient enforcement of access control boundaries within the Ivanti Neurons for ITSM application layer. Under normal operations, the platform enforces role-based permissions that restrict standard users from accessing administrative functions.
However, due to improper validation of privilege levels during certain API or workflow interactions, a remote authenticated user can craft requests that bypass these controls entirely.
The CVSS vector confirms no special conditions are needed: Attack Complexity is Low (AC:L), Privileges Required are Low (PR:L), and No User Interaction (UI:N) is necessary.
Once elevated to administrator, a threat actor could modify service configurations, access sensitive help desk ticket data, manipulate user accounts and roles, or pivot laterally across integrated enterprise systems.
This is especially alarming in ITSM platforms, which are deeply integrated into enterprise IT infrastructure and often hold sensitive operational data, asset inventories, and credential-adjacent workflow automations.
The vulnerability affects the platform at the application logic layer rather than the operating system, making it harder to detect through conventional host-based monitoring without specific audit log review.
Affected Versions
| Product | Affected Version(s) | Fixed Version(s) | Patch Availability |
|---|---|---|---|
| Ivanti Neurons for ITSM (On-Premises) | 2025.4 and prior | 2025.4 Patch 1 / 2025.3 Patch 1 / 2025.2 Patch 1 | Ivanti License System (ILS) Download Portal |
| Ivanti Neurons for ITSM (Cloud) | 2026.1 and prior | 2026.1 Patch 9 / 2026.2 Patch 1 | Auto-applied May 24–25, 2026 |
Cloud (SaaS) customers received the security fix automatically during the emergency patch rollouts on May 24 and May 25, 2026, and require no further action.
On-premises customers running version 2025.4 or earlier must manually download and apply the appropriate patch through the Ivanti License System (ILS) portal.
It is worth noting that Ivanti deployed a second emergency cloud patch later in the same week, 2026.1 Patch 10 and 2026.2 Patch 2 to fix a separate bug in which IP addresses were not being logged correctly. This secondary issue only affects the cloud version of the product and is unrelated to CVE-2026-9614 itself.
At the time of public disclosure on June 1, 2026, Ivanti confirmed it was not aware of any active exploitation of CVE-2026-9614 in the wild.
However, the simplicity of the attack chain means a working exploit could be developed rapidly once the advisory became public knowledge.
Security researchers and threat intelligence platforms have already indexed this CVE, increasing the likelihood of weaponization in the short term.
Ivanti products have been a repeated target for threat actors in 2025 and 2026, with multiple CVEs, including CVE-2026-4913 (authentication bypass) and CVE-2026-6973 (RCE in EPMM) actively exploited in prior campaigns.
Organizations relying on Ivanti ITSM should treat this advisory with urgency, especially given the platform’s privileged position within enterprise IT workflows.
Mitigations
Security teams should take the following steps immediately:
- On-premises deployments: Apply 2025.4 Patch 1, 2025.3 Patch 1, or 2025.2 Patch 1 from the ILS Download Portal without delay.
- Cloud deployments: Verify patch application confirmation from Ivanti; no manual action required.
- Audit role configurations: Review all ITSM user roles and ensure permissions are strictly limited to intended administrative scopes. Misconfigurations can allow privilege escalation independent of this CVE.
- Enable enhanced logging: Monitor for anomalous privilege changes, unexpected admin account creation, or suspicious workflow modifications in ITSM audit logs.
- Integrate threat detection: Map ITSM administrative access events to MITRE ATT&CK technique T1078 (Valid Accounts) and monitor for privilege escalation indicators.
FAQ
Q1. Is CVE-2026-9614 actively being exploited in the wild?
No, Ivanti confirmed no known active exploitation at the time of disclosure, but the low attack complexity makes rapid weaponization a credible near-term risk.
Q2. Do Ivanti Neurons for ITSM cloud customers need to patch manually?
No, Ivanti automatically applied the fix to all cloud landscapes on May 24–25, 2026, requiring zero customer action.
Q3. What access does an attacker gain by exploiting this vulnerability?
A remote authenticated attacker with low-level privileges can escalate to full administrator access, impacting confidentiality, integrity, and availability.
Q4. How can organizations check if they have been compromised?
No public IoCs exist yet; Ivanti recommends auditing role configurations and reviewing admin privilege assignments for any unauthorized changes.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
