Ivanti Neurons ITSM Vulnerabilities Enable Session Persistence Risks

Severity: Medium (Score: 57.0)

Sources: Cybersecuritynews, Thecyberexpress

Summary

Ivanti disclosed two vulnerabilities in its Neurons for IT Service Management (ITSM) platform, tracked as CVE-2026-4913 and CVE-2026-4914, which could allow remote authenticated attackers to maintain unauthorized access to user sessions. CVE-2026-4913 enables attackers to retain access even after account deactivation, while CVE-2026-4914 involves stored cross-site scripting (XSS) that can expose session data. These vulnerabilities affect both on-premises and cloud deployments running version 2025.3 and earlier. Ivanti has stated there is no evidence of active exploitation as of the disclosure date, April 14, 2026. The company has issued a security advisory and recommends upgrading to version 2025.4 for on-premises users, while cloud environments were automatically patched on December 12, 2025. The vulnerabilities were identified through a responsible disclosure program. Key Points: • Two vulnerabilities in Ivanti Neurons for ITSM could allow session persistence and data exposure. • CVE-2026-4913 allows access retention post-account deactivation; CVE-2026-4914 involves stored XSS. • No active exploitation reported at the time of disclosure; patches available for affected versions.

Key Entities

• XSS (vulnerability)
• Ivanti (company)
• CVE-2026-4913 (cve)
• CVE-2026-4914 (cve)
• T1078 - Valid Accounts (mitre_attack)