Description
Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.
Published: 2026-04-14
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: Continued access via disabled account
Action: Patch
AI Analysis

Impact

Ivanti Neurons for ITSM, both Cloud and On‑Premise, contains an improperly protected alternate path that allows a remote authenticated user to continue interacting with the system after their account has been disabled. This flaw can let an attacker maintain session activity beyond the intended account deactivation point, potentially giving them ongoing, unauthorized access. The weakness aligns with CWE‑424, representing a logical error where an entity’s intended user access controls are overridden or bypassed.

Affected Systems

All versions of Ivanti Neurons for ITSM released before 2025.4 are impacted. The vulnerability applies to both the Cloud and On‑Premise editions and is not tied to a particular operating system or hardware configuration.

Risk and Exploitability

The CVSS score of 5.7 reflects a moderate impact, indicating that continued access could lead to unauthorized actions but does not guarantee full privilege escalation. EPSS data is not available, so precise exploit probability cannot be assessed. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to be a legitimate user of the system; once authenticated, they can exploit the alternate path to retain access after the account has been disabled. The attack vector is remote, network‑based, and authenticated. The available information does not disclose whether attackers have already exploited this flaw in production environments.

Generated by OpenCVE AI on April 14, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ivanti Neurons for ITSM version 2025.4 or later.
  • Verify that disabled accounts can no longer access the alternate path after updating.
  • Monitor user sessions to detect any active sessions for accounts that have been disabled.

Generated by OpenCVE AI on April 14, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Authenticated Bypass of Account Disabling in Ivanti Neurons for ITSM

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti neurons For Itsm
Vendors & Products Ivanti
Ivanti neurons For Itsm

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.
Weaknesses CWE-424
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Ivanti Neurons For Itsm
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-04-14T15:07:48.368Z

Reserved: 2026-03-26T16:37:44.109Z

Link: CVE-2026-4913

cve-icon Vulnrichment

Updated: 2026-04-14T15:07:43.500Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:39.587

Modified: 2026-04-14T15:16:39.587

Link: CVE-2026-4913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:25Z

Weaknesses