- Ivanti released a patch for a critical severity flaw in Neurons for ITSM
- The flaw can be abused to gain admin rights on target systems
- There is no evidence of abuse in the wild
Ivanti has patched a critical-severity vulnerability in its Neurons for ITSM IT service management solution, and is urging users to apply the fix and mitigate the risk as soon as possible.
Neurons for ITSM is an AI-powered IT Service Management platform used by IT departments in mid-to-large enterprises to automate, streamline, and manage IT support services, incidents, and assets across their organizations.
An exact number of users is unknown, but Ivanti claims to be servicing tens of thousands of organizations with its portfolio, so it’s safe to assume the attack surface is relatively large.
Low complexity attacks
The vulnerability in question is tracked as CVE-2025-22462. NVD describes it as an authentication bypass in Neurons for ITSM in versions before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch. It affects on-prem instances only, and allows a remote unauthenticated threat actor to gain admin rights on the target system.
The company says that depending on the system configuration, the vulnerability can be exploited in low-complexity attacks. That, however, doesn’t seem to have happened yet, since Ivanti claims there is no evidence of abuse in the wild so far.
Ivanti also suggested that organizations should follow its guidance, since then they will be less exposed to potential attacks.
“Customers who have followed Ivanti’s guidance on securing the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk to their environment,” the company said in an advisory. “Customers who have users log into the solution from outside their company network also have a reduced risk to their environment if they ensure that the solution is configured with a DMZ.”
This is the second major vulnerability Ivanti patched this week, after addressing a critical-severity bug in its Endpoint Manager Mobile (EPMM) software.
Via BleepingComputer
Leave a comment