210/69 Friday, April 17, 2026
Ivanti has released security updates for Ivanti Neurons for ITSM to address two medium-severity vulnerabilities affecting both on-premises and cloud deployments.
The first vulnerability, CVE-2026-4913 (CVSS 5.7), could allow authenticated users to retain access to the system even after their accounts have been disabled. This issue may enable unauthorized continued access, posing a risk to organizations that rely on proper account deactivation for security control.
The second vulnerability, CVE-2026-4914 (CVSS 5.4), is a Stored Cross-Site Scripting (XSS) flaw that could be exploited to access limited data from other users’ sessions remotely. However, successful exploitation requires prior authentication and user interaction.
Ivanti stated that there is currently no evidence of active exploitation of these vulnerabilities in the wild, and that no other Ivanti products are affected. Both issues have been resolved in version 2025.4. Cloud customers are not required to take any action, as patches were automatically applied on December 12, 2025.
Additionally, Ivanti provided clarification regarding OpenSSH vulnerabilities (CVE-2025-26465 and CVE-2025-26466), confirming that products such as EPMM, Sentry, and Connector are not impacted. However, OpenSSH components will be updated in future releases to further enhance security.
Source https://www.securityweek.com/two-vulnerabilities-patched-in-ivanti-neurons-for-itsm/