Description
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
Published: 2026-06-01
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper access control flaw in Ivanti Neurons for ITSM that permits a remote attacker who is already authenticated to gain administrative privileges. The flaw is characterized by CWE-284, which reflects a failure to enforce proper authorization checks. As a result, an attacker can manipulate the system with full administrative rights, compromising confidentiality, integrity, and potentially availability of the service.

Affected Systems

Ivanti Neurons for ITSM product line, including both the cloud-hosted and on-premises deployments. No specific version information is provided; any deployment of these products is potentially affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity risk level. The EPSS score is not available, so the current exploitation probability is unknown, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a remote authenticated user exploiting improper access controls to elevate privileges to an administrator. Given the high severity and lack of mitigation details, the vulnerability poses a significant threat to affected systems.

Generated by OpenCVE AI on June 1, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Ivanti vendor‑issued patch or upgrade to a fixed version as detailed in the official advisory
  • Configure identity and access management to enforce least‑privilege and explicitly deny administrative access to untrusted users
  • Enable and monitor audit logging for administrative actions to detect unauthorized privilege use

Generated by OpenCVE AI on June 1, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Title Remote Authenticated Administrative Access Control Bypass

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-06-02T03:56:03.438Z

Reserved: 2026-05-26T16:30:29.761Z

Link: CVE-2026-9614

cve-icon Vulnrichment

Updated: 2026-06-01T19:08:54.665Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:55.940

Modified: 2026-06-02T14:01:26.667

Link: CVE-2026-9614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T20:45:25Z

Weaknesses