Introduction
An out of band emergency patch from Ivanti on June 1, 2026 addresses a privilege escalation flaw in Ivanti Neurons for ITSM that lets any authenticated user, even one with the lowest level of access, promote themselves to full administrator. For organizations running on premises deployments, the window between disclosure and patch application represents a period of significant exposure, particularly given Ivanti's well documented history of rapid post disclosure exploitation across its product portfolio.
Ivanti Neurons for ITSM is a service management platform used by enterprises to manage IT service desks, incident workflows, configuration items, and asset records. Ivanti competes in the ITSM market alongside ServiceNow (which holds 44.4% market share), Atlassian, and BMC Software, and the platform holds a 4.2 star rating across 1,333 reviews on Gartner Peer Insights. Administrative access to an ITSM platform of this kind provides control over enterprise service management workflows, user data, and configuration records, making it a high value target for attackers.
Technical Information
Root Cause: Improper Access Control (CWE-284)
CVE-2026-9614 is classified under CWE-284 (Improper Access Control), which MITRE defines as occurring when "the product does not restrict or incorrectly restricts access to a resource from an unauthorized actor." MITRE notes that CWE-284 is a broad category encompassing more specific child weaknesses including privilege escalation, insecure direct object references, and session management flaws. MITRE actually discourages direct use of CWE-284 in favor of more specific child CWEs, which suggests the precise mechanism may fall under a narrower sub category such as CWE-269 (Improper Privilege Management) or CWE-639 (Authorization Bypass Through User Controlled Key).
The vulnerability affects both cloud and on premises deployments of Ivanti Neurons for ITSM, indicating the flaw resides in the application logic layer rather than in deployment specific infrastructure.
CVSS v3.1 Vector Analysis
The full CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8 (High). Breaking this down:
| CVSS Component | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network |
| Attack Complexity (AC) | Low (L) | No specialized conditions required |
| Privileges Required (PR) | Low (L) | Any authenticated user can exploit |
| User Interaction (UI) | None (N) | No victim action needed |
| Scope (S) | Unchanged (U) | Impact confined to the vulnerable component |
| Confidentiality (C) | High (H) | Total information disclosure |
| Integrity (I) | High (H) | Total modification of data |
| Availability (A) | High (H) | Total denial of service possible |
The combination of PR:L and AC:L is particularly notable. This means any user with basic authentication credentials, whether a low privilege service desk agent, an end user with a self service portal login, or any other non administrative role, could potentially elevate their access to full administrator. In a typical ITSM deployment with hundreds or thousands of authenticated users, the attack surface is substantial.
Attack Flow
Based on the advisory details and CVSS vector, the exploitation path follows this sequence:
-
Authentication: The attacker must possess valid credentials for the ITSM application. This could be a low privilege account such as a standard service desk user, an end user with self service portal access, or any other non administrative role. Credential sources could include legitimate employee accounts, compromised credentials from phishing or credential stuffing, or insider threat scenarios.
-
Access Control Bypass: Once authenticated, the attacker exploits the improper access control mechanism to escalate privileges to full administrator. Given the CWE-284 classification and the "low complexity" rating, this likely involves directly accessing administrative functions or API endpoints without proper authorization checks, rather than requiring complex chaining or race conditions.
-
Full Administrative Compromise: With administrative access, the attacker gains complete control over the ITSM platform. This includes the ability to view, modify, or delete all service management data; create or modify user accounts and permissions; access configuration items and asset records; and alter workflows and automation rules.
The fact that Ivanti released this patch out of band, specifically citing the "simplicity of exploitation" as the reason for the elevated urgency, reinforces that the exploitation technique is straightforward once an attacker has any level of authenticated access. This is not a vulnerability that requires sophisticated tooling or deep product knowledge to exploit.
Strategic Impact
Administrative access to an ITSM platform is not just a theoretical concern. An attacker with admin control over Ivanti Neurons for ITSM could exfiltrate sensitive incident data and configuration records, create persistent backdoor accounts, modify workflows to redirect approvals or suppress alerts, use the platform as a pivot point for lateral movement across the enterprise, and disrupt IT service operations by altering or deleting critical service management configurations.
Patch Information
Ivanti responded to CVE-2026-9614 with an out of band emergency patch released on June 1, 2026, citing the elevated risk due to the simplicity of exploitation. The fix addresses the Improper Access Control flaw in Ivanti Neurons for ITSM that allowed a remote authenticated attacker to escalate privileges to full administrator access.
The patch strategy is split across two deployment models:
On Premises Deployments
Ivanti back ported the fix to the three most recent release branches. On premises administrators must manually download and apply one of the following patched versions from the Ivanti License System (ILS) Downloads portal:
| Affected Version | Fixed Version |
|---|---|
| 2025.4 and prior | 2025.4 Patch 1 |
| 2025.3.x | 2025.3 Patch 1 |
| 2025.2.x | 2025.2 Patch 1 |
This is a manual update. On premises customers must actively obtain and deploy the patch; it will not apply itself.
Cloud (SaaS) Deployments
Ivanti proactively applied the security fix to all cloud tenant landscapes on May 24 and May 25, 2026, a full week before public disclosure. The remediated cloud versions are:
- 2026.1 Patch 9
- 2026.2 Patch 1
Cloud customers do not need to take any action, as Ivanti confirmed the fix has already been applied across all cloud environments.
Post Patch Note for Cloud Administrators
Shortly after deploying the security fix on cloud tenants, Ivanti also released a follow on patch (2026.1 Patch 10 and 2026.2 Patch 2) that corrected a separate regression bug where IP addresses were not being logged properly. This logging issue only affects the cloud version and was not part of the original CVE-2026-9614 fix itself, but it is important context for cloud administrators reviewing their recent patching timeline.
External Advisories
The Canadian Centre for Cyber Security independently issued advisory AV26-533 on June 1, 2026, corroborating the affected product versions and directing organizations to apply Ivanti's updates immediately. The NVD entry for CVE-2026-9614 was published the same day, referencing Ivanti's security advisory as the sole primary source.
Workaround (If Patching Is Delayed)
For organizations that cannot patch immediately, Ivanti advises auditing role configurations to ensure that permissions are strictly limited to intended administrative roles. Specific actions include:
- Review all user accounts and role assignments in Ivanti Neurons for ITSM, removing any unnecessary privileges
- Enforce the principle of least privilege by ensuring service desk agents, end users, and other non admin roles have only the minimum permissions required
- Monitor administrative access logs for any unusual privilege escalation activity or access by accounts that should not have admin level permissions
- Restrict network access to the ITSM application where possible, limiting the pool of authenticated users who could potentially exploit the vulnerability
- Implement multi factor authentication to reduce the risk of credential compromise leading to authenticated access
- Deploy network segmentation to limit ITSM exposure to only authorized internal networks
- Enable detailed access logging and configure SIEM alerting for anomalous admin level actions performed by non admin accounts
Affected Systems and Versions
On Premises Deployments: All on premises versions of Ivanti Neurons for ITSM up to and including version 2025.4 are vulnerable. This encompasses the 2025.2.x, 2025.3.x, and 2025.4 release branches, as well as any earlier versions.
Cloud (SaaS) Deployments: All cloud versions up to and including 2026.1 (prior to Patch 9) and 2026.2 (prior to Patch 1) were affected. These have been automatically remediated by Ivanti as of May 24 and 25, 2026.
Fixed Versions:
| Deployment Type | Fixed Versions |
|---|---|
| On Premises | 2025.4 Patch 1, 2025.3 Patch 1, 2025.2 Patch 1 |
| Cloud (SaaS) | 2026.1 Patch 9, 2026.2 Patch 1 (auto deployed) |
The divergence between cloud and on premises remediation timelines is a critical operational detail. SaaS customers have been protected since May 24 and 25, while on premises deployments remain vulnerable until administrators manually apply the patch. Organizations running on premises Ivanti Neurons for ITSM should treat patching as an emergency operation, not a scheduled maintenance item.
Vendor Security History
Ivanti has faced a significant and recurring pattern of critical security vulnerabilities across multiple product lines over the 2024 to 2026 period, several of which have been actively exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog:
| Year | Product | CVE(s) | Severity | Exploited in the Wild | CISA KEV |
|---|---|---|---|---|---|
| Jan 2024 | Connect Secure / Policy Secure | CVE-2023-46805, CVE-2024-21887 | Critical | Yes | Yes |
| Jan 2025 | Connect Secure | CVE-2025-0282 | Critical | Yes | Yes |
| Apr 2025 | Connect Secure | CVE-2025-22457 | Critical | Yes | Yes |
| Jan 2026 | EPMM | CVE-2026-1281 | 9.8 | Yes | Yes |
| Apr 2026 | EPMM | CVE-2026-1340 | 9.8 | Yes | Yes |
| Apr 2026 | Neurons for ITSM | CVE-2026-4913, CVE-2026-4914 | Medium | No | No |
| Jun 2026 | Neurons for ITSM | CVE-2026-9614 | 8.8 | No (per Ivanti) | Not yet |
China nexus threat actors have been associated with exploitation of Ivanti Connect Secure vulnerabilities dating back to December 2023, with CISA issuing emergency directives. The EPMM zero days (CVE-2026-1281 and CVE-2026-1340) were exploited with widespread web shell deployment and credential harvesting before patches were available. CISA issued updated RESURGE malware analysis in February 2026, highlighting a stealthy active threat linked to Ivanti compromise that can remain dormant within compromised environments.
While Neurons for ITSM has not yet experienced confirmed in the wild exploitation, the precedent set by other Ivanti products warrants heightened vigilance. Threat actors that have invested in Ivanti exploitation tooling may expand their focus to the ITSM platform, particularly given the administrative access this CVE provides.
Ivanti has stated it is not aware of active exploitation of CVE-2026-9614 prior to disclosure. However, the low exploitation complexity combined with Ivanti's track record of rapid weaponization makes post disclosure exploitation a realistic concern. Organizations should conduct post remediation reviews of administrative access logs covering the window between disclosure (June 1, 2026) and patch application, as any exploitation would manifest as non admin accounts performing admin level operations.
References
- Ivanti Security Advisory: CVE-2026-9614
- NVD: CVE-2026-9614
- Canadian Centre for Cyber Security Advisory AV26-533
- CWE-284: Improper Access Control
- CWE-264: Permissions, Privileges, and Access Controls
- CISA Known Exploited Vulnerabilities Catalog
- Unit 42: Critical Vulnerabilities in Ivanti EPMM Exploited
- Rapid7: Ivanti Connect Secure CVE-2025-22457 Exploited in the Wild
- Cybersecurity Dive: CISA Adds Second Critical Flaw in Ivanti EPMM to Exploited List
- SecurityWeek: Two Vulnerabilities Patched in Ivanti Neurons for ITSM
- CISA: Updated RESURGE Malware Analysis
- Cybersecurity Dive: CISA Adds Ivanti Connect Secure Vulnerability to KEV Catalog
- Ivanti Security Advisory Blog
- Ivanti (Wikipedia)



