Ivanti fixes Connect Secure, Policy Secure, and Neurons for ITSM vulnerabilities
Ivanti issued security updates for multiple enterprise products, including Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ITSM, as the company continued remediation across its remote access and IT service management portfolio. The Neurons for ITSM fixes arrived in version 2025.4 and addressed CVE-2026-4913 and CVE-2026-4914, affecting version 2025.3 and earlier in both on-premises and cloud deployments; Ivanti said cloud instances had already been patched and urged on-premises customers to upgrade through the Ivanti License System.
According to Ivanti, CVE-2026-4913 is an improper path protection flaw that could allow a remote authenticated attacker to retain access after an administrator disables the account, while CVE-2026-4914 is a stored XSS issue that could let an authenticated attacker access limited data from other users’ sessions. Ivanti said it was not aware of active exploitation and had no indicators of compromise for the Neurons flaws, while its separate advisory for Connect Secure and Policy Secure signaled additional security remediation affecting those products.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Ivanti publishes advisory for Neurons for ITSM flaw CVE-2026-9614
On June 1, 2026, Ivanti published a security advisory for CVE-2026-9614 affecting Ivanti Neurons for ITSM on-premises version 2025.4 and prior and cloud version 2026.1 and prior. The Canadian Centre for Cyber Security urged administrators to review Ivanti’s advisory and apply the necessary updates.
Ivanti remediates Neurons for ITSM cloud instances for CVE-2026-9614
Ivanti said SaaS deployments of Ivanti Neurons for ITSM were automatically remediated through service updates on May 24 and May 25, 2026, for CVE-2026-9614. The flaw is an improper access control issue that can let an authenticated remote user escalate privileges to administrator.
Ivanti releases Neurons for ITSM 2025.4 to fix CVE-2026-4913 and CVE-2026-4914
Ivanti released version 2025.4 of Ivanti Neurons for ITSM to address CVE-2026-4913, an improper path protection issue, and CVE-2026-4914, a stored XSS flaw. The company said affected versions include 2025.3 and earlier, no active exploitation was known, and on-premise customers should upgrade manually.
Ivanti applies cloud fixes for Neurons for ITSM vulnerabilities
Ivanti remediated two vulnerabilities affecting Ivanti Neurons for ITSM cloud deployments. According to the later disclosure, the cloud fixes were already applied by Ivanti on December 12, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Ivanti ITSM Vulnerability let Attackers Gain Admin Privilege
cybersecuritynews.com
Open sourceIvanti ITSM Vulnerability Allows Privilege Escalation
securityonline.info
Open sourceIvanti security advisory (AV26-533) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSecurity Advisory Ivanti Neurons for ITSM (CVE-2026-9614)
hub.ivanti.com
Open sourceIvanti Neurons for ITSM Vulnerabilities Allow Remote Attacker to Obtain User Sessions - Cyber Security News
cybersecuritynews.com
Open sourceSecurity Advisory Ivanti Neurons for ITSM (CVE-2026-4913, CVE-2026-4914)
hub.ivanti.com
Open sourceSecurity Advisory May 2024
forums.ivanti.com
Open sourceSecurity Update for Ivanti Connect Secure and Policy Secure | Ivanti
ivanti.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti patches multiple Connect Secure and ZTA flaws enabling DoS and file read
Ivanti released security updates for **Ivanti Connect Secure**, **Policy Secure**, **ZTA Gateway**, and **Neurons for Secure Access** to fix four vulnerabilities, including two high-severity remote unauthenticated denial-of-service flaws tracked as `CVE-2025-5456` and `CVE-2025-5462`. The bugs stem from memory-safety weaknesses including a buffer over-read and a heap-based buffer overflow that can be triggered through crafted network input, potentially crashing appliances that provide VPN, zero-trust, and access-control services. Ivanti said cloud instances of Neurons for Secure Access were remediated by **August 2, 2025**, while on-premises customers must apply the fixed releases. The same advisory also addressed `CVE-2025-5466`, an authenticated administrator **XXE** issue that can cause denial of service, and `CVE-2025-5468`, a symbolic link handling flaw that could let a local authenticated attacker read arbitrary files. Ivanti said it had no evidence of customer exploitation before disclosure and that the issues were found through internal assessments and responsible disclosure, but the breadth of affected products increases operational risk for enterprises relying on Ivanti remote access infrastructure. The company also noted that **Pulse Connect Secure 9.x** no longer receives backported fixes because it has reached end of support.
Jun 12, 2026
Ivanti Connect Secure RCE Flaws Exploited, Legacy Pulse Secure Left Unpatched
Ivanti disclosed multiple critical vulnerabilities affecting **Ivanti Connect Secure**, **Ivanti Policy Secure**, and **Ivanti Neurons for ZTA Gateway**, including `CVE-2025-0282` (CVSS 9.0), a stack-based buffer overflow that allows unauthenticated remote code execution, and `CVE-2025-0283` (CVSS 7.0), which enables privilege escalation. Ivanti said `CVE-2025-0282` has been exploited in the wild against Ivanti Connect Secure, prompting urgent guidance for organizations to upgrade to fixed releases and use the **Integrity Checker Tool** to look for signs of compromise. Authorities later warned that `CVE-2025-22457` is also being actively exploited in **Ivanti Connect Secure** and **Pulse Connect Secure**, allowing remote command execution on vulnerable systems. Ivanti Connect Secure addressed that flaw in version **22.7R2.6**, but **Pulse Connect Secure 9.x** has no patch and will not receive one, leaving migration and retirement as the only mitigation for legacy deployments. While Ivanti Policy Secure and ZTA Gateway are also affected by `CVE-2025-22457`, exploitation had not been observed in those products at the time of reporting.
Apr 23, 2026
Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in **Ivanti Secure Access Client for Windows** and **Ivanti Virtual Traffic Manager (vTM)**. In Secure Access Client, version `22.8R6` addresses **CVE-2026-7431**, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; **CVE-2026-7432**, a race condition that could allow local privilege escalation to `SYSTEM`; and **CVE-2026-8992`, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are `22.8R5` and earlier and advised customers to upgrade to `22.8R6`. Ivanti also patched **CVE-2026-8051** in **Ivanti Virtual Traffic Manager**, a high-severity `CWE-78` OS command injection vulnerability with a CVSS score of `7.2` that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM `22.9r3` and earlier and is fixed in `22.9r4`. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
Jun 21, 2026