An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and involves the ability to bypass authentication mechanisms through an alternative access path or communication channel not protected with adequate identity verification. An attacker can send a properly crafted network request without providing any credentials and gain access with administrator privileges. The attack is possible entirely remotely, over the network, without prior system access or user interaction.
An attacker gains full administrative access to the Ivanti Neurons for ITSM system, which can lead to takeover of the ITSM platform, disclosure or modification of sensitive data (including ticket data, configuration, user data), as well as further lateral movement in the organization's infrastructure.
Apply the security patch from May 2025 as soon as possible for the appropriate product branch: 2023.4, 2024.2, or 2024.3. Detailed patch installation instructions are available in Ivanti's official security advisory at: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-on-premises-only-CVE-2025-22462. Until the patch is deployed, it is recommended to restrict access to the administrative interface only to trusted networks or VPN.
Ivanti Neurons for ITSM (on-premises deployments only) in versions prior to 2023.4, 2024.2, and 2024.3 without the security patch from May 2025 applied. SaaS (cloud) versions are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Neurons For Itsm
APPIvanti2023.42024.22024.3< 2023.4
Related vulnerabilities
Ujawnienie OIDC client secret w Ivanti Neurons for ITSM przez debug info
Ivanti Neurons for ITSM — podatność file upload umożliwiająca zapis plików na serwerze
Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows...
A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user t...
An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authent...