Ivanti ITSM Vulnerability Let Remote Attacker Gain Administrative Access

Ivanti ITSM Vulnerability Let Remote Attacker Gain Administrative Access

Ivanti has released security updates to address a critical authentication bypass vulnerability in its Neurons for ITSM (IT Service Management) solution that could allow unauthenticated attackers to gain administrative access to vulnerable systems.

Disclosed on May 13, 2025, the flaw affects on-premises instances only and has been assigned a CVSS score of 9.8, indicating its severity.

The vulnerability, tracked as CVE-2025-22462, impacts Ivanti Neurons for ITSM versions 2023.4, 2024.2, 2024.3, and earlier releases.

Google News

According to Ivanti’s advisory, successful exploitation could allow remote attackers to gain administrative access to affected systems, though the risk varies depending on system configuration.

Critical Ivanti ITSM Vulnerability

“Customers who have followed Ivanti’s guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment,” Ivanti stated in its security advisory.

The company also noted that customers who have configured their solution with a DMZ for external user access face lower risks.

Security patches are now available through Ivanti’s download portal, with separate updates for each affected versions.

Product Name Affected Version(s) Resolved Version(s) Patch Availability
Ivanti Neurons for ITSM (on-prem only) 2023.4 2023.4 May 2025 Security Patch Download Available in ILS
Ivanti Neurons for ITSM (on-prem only) 2024.2 2024.2 May 2025 Security Patch Download Available in ILS
Ivanti Neurons for ITSM (on-prem only) 2024.3 2024.3 May 2025 Security Patch Download Available in ILS

While the base CVSS score indicates critical severity (9.8), Ivanti has provided an environmental score of 6.9 (Medium) for organizations that have implemented recommended security configurations.

This adjusted score reflects environments where the ITSM instance is only available to high-privileged users through networking restrictions or other controls.

The company stated it has found no evidence of active exploitation targeting customers at the time of disclosure. The vulnerability was identified through Ivanti’s responsible disclosure program.

This is the latest in a series of security issues affecting Ivanti products over the past year. In April 2025, Ivanti disclosed a critical vulnerability (CVE-2025-22457) in its Connect Secure VPN appliances that was being actively exploited by suspected China-nexus threat actors.

Earlier in March, the company patched critical vulnerabilities in Standalone Sentry and Neurons for ITSM that could lead to command execution.

Organizations using affected versions of Ivanti Neurons for ITSM are strongly encouraged to apply the available security patches immediately.

For those unable to patch immediately, implementing the recommended mitigation steps, including securing the IIS website, restricting access by IP address and domain name, and ensuring proper DMZ configuration, can help reduce exposure.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar



Source link