ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-9614 Privilege Escalation in Ivanti Neurons for ITSM

A brief summary of CVE-2026-9614, a high severity improper access control flaw in Ivanti Neurons for ITSM that allows any authenticated user to escalate to full administrator. Includes patch information for both cloud and on premises deployments.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-01

Quick Look: CVE-2026-9614 Privilege Escalation in Ivanti Neurons for ITSM
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An out of band emergency patch from Ivanti on June 1, 2026 addresses a privilege escalation flaw in Ivanti Neurons for ITSM that lets any authenticated user, even one with the lowest level of access, promote themselves to full administrator. For organizations running on premises deployments, the window between disclosure and patch application represents a period of significant exposure, particularly given Ivanti's well documented history of rapid post disclosure exploitation across its product portfolio.

Ivanti Neurons for ITSM is a service management platform used by enterprises to manage IT service desks, incident workflows, configuration items, and asset records. Ivanti competes in the ITSM market alongside ServiceNow (which holds 44.4% market share), Atlassian, and BMC Software, and the platform holds a 4.2 star rating across 1,333 reviews on Gartner Peer Insights. Administrative access to an ITSM platform of this kind provides control over enterprise service management workflows, user data, and configuration records, making it a high value target for attackers.

Technical Information

Root Cause: Improper Access Control (CWE-284)

CVE-2026-9614 is classified under CWE-284 (Improper Access Control), which MITRE defines as occurring when "the product does not restrict or incorrectly restricts access to a resource from an unauthorized actor." MITRE notes that CWE-284 is a broad category encompassing more specific child weaknesses including privilege escalation, insecure direct object references, and session management flaws. MITRE actually discourages direct use of CWE-284 in favor of more specific child CWEs, which suggests the precise mechanism may fall under a narrower sub category such as CWE-269 (Improper Privilege Management) or CWE-639 (Authorization Bypass Through User Controlled Key).

The vulnerability affects both cloud and on premises deployments of Ivanti Neurons for ITSM, indicating the flaw resides in the application logic layer rather than in deployment specific infrastructure.

CVSS v3.1 Vector Analysis

The full CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8 (High). Breaking this down:

CVSS ComponentValueSignificance
Attack Vector (AV)Network (N)Exploitable remotely over the network
Attack Complexity (AC)Low (L)No specialized conditions required
Privileges Required (PR)Low (L)Any authenticated user can exploit
User Interaction (UI)None (N)No victim action needed
Scope (S)Unchanged (U)Impact confined to the vulnerable component
Confidentiality (C)High (H)Total information disclosure
Integrity (I)High (H)Total modification of data
Availability (A)High (H)Total denial of service possible

The combination of PR:L and AC:L is particularly notable. This means any user with basic authentication credentials, whether a low privilege service desk agent, an end user with a self service portal login, or any other non administrative role, could potentially elevate their access to full administrator. In a typical ITSM deployment with hundreds or thousands of authenticated users, the attack surface is substantial.

Attack Flow

Based on the advisory details and CVSS vector, the exploitation path follows this sequence:

  1. Authentication: The attacker must possess valid credentials for the ITSM application. This could be a low privilege account such as a standard service desk user, an end user with self service portal access, or any other non administrative role. Credential sources could include legitimate employee accounts, compromised credentials from phishing or credential stuffing, or insider threat scenarios.

  2. Access Control Bypass: Once authenticated, the attacker exploits the improper access control mechanism to escalate privileges to full administrator. Given the CWE-284 classification and the "low complexity" rating, this likely involves directly accessing administrative functions or API endpoints without proper authorization checks, rather than requiring complex chaining or race conditions.

  3. Full Administrative Compromise: With administrative access, the attacker gains complete control over the ITSM platform. This includes the ability to view, modify, or delete all service management data; create or modify user accounts and permissions; access configuration items and asset records; and alter workflows and automation rules.

The fact that Ivanti released this patch out of band, specifically citing the "simplicity of exploitation" as the reason for the elevated urgency, reinforces that the exploitation technique is straightforward once an attacker has any level of authenticated access. This is not a vulnerability that requires sophisticated tooling or deep product knowledge to exploit.

Strategic Impact

Administrative access to an ITSM platform is not just a theoretical concern. An attacker with admin control over Ivanti Neurons for ITSM could exfiltrate sensitive incident data and configuration records, create persistent backdoor accounts, modify workflows to redirect approvals or suppress alerts, use the platform as a pivot point for lateral movement across the enterprise, and disrupt IT service operations by altering or deleting critical service management configurations.

Patch Information

Ivanti responded to CVE-2026-9614 with an out of band emergency patch released on June 1, 2026, citing the elevated risk due to the simplicity of exploitation. The fix addresses the Improper Access Control flaw in Ivanti Neurons for ITSM that allowed a remote authenticated attacker to escalate privileges to full administrator access.

The patch strategy is split across two deployment models:

On Premises Deployments

Ivanti back ported the fix to the three most recent release branches. On premises administrators must manually download and apply one of the following patched versions from the Ivanti License System (ILS) Downloads portal:

Affected VersionFixed Version
2025.4 and prior2025.4 Patch 1
2025.3.x2025.3 Patch 1
2025.2.x2025.2 Patch 1

This is a manual update. On premises customers must actively obtain and deploy the patch; it will not apply itself.

Cloud (SaaS) Deployments

Ivanti proactively applied the security fix to all cloud tenant landscapes on May 24 and May 25, 2026, a full week before public disclosure. The remediated cloud versions are:

  • 2026.1 Patch 9
  • 2026.2 Patch 1

Cloud customers do not need to take any action, as Ivanti confirmed the fix has already been applied across all cloud environments.

Post Patch Note for Cloud Administrators

Shortly after deploying the security fix on cloud tenants, Ivanti also released a follow on patch (2026.1 Patch 10 and 2026.2 Patch 2) that corrected a separate regression bug where IP addresses were not being logged properly. This logging issue only affects the cloud version and was not part of the original CVE-2026-9614 fix itself, but it is important context for cloud administrators reviewing their recent patching timeline.

External Advisories

The Canadian Centre for Cyber Security independently issued advisory AV26-533 on June 1, 2026, corroborating the affected product versions and directing organizations to apply Ivanti's updates immediately. The NVD entry for CVE-2026-9614 was published the same day, referencing Ivanti's security advisory as the sole primary source.

Workaround (If Patching Is Delayed)

For organizations that cannot patch immediately, Ivanti advises auditing role configurations to ensure that permissions are strictly limited to intended administrative roles. Specific actions include:

  • Review all user accounts and role assignments in Ivanti Neurons for ITSM, removing any unnecessary privileges
  • Enforce the principle of least privilege by ensuring service desk agents, end users, and other non admin roles have only the minimum permissions required
  • Monitor administrative access logs for any unusual privilege escalation activity or access by accounts that should not have admin level permissions
  • Restrict network access to the ITSM application where possible, limiting the pool of authenticated users who could potentially exploit the vulnerability
  • Implement multi factor authentication to reduce the risk of credential compromise leading to authenticated access
  • Deploy network segmentation to limit ITSM exposure to only authorized internal networks
  • Enable detailed access logging and configure SIEM alerting for anomalous admin level actions performed by non admin accounts

Affected Systems and Versions

On Premises Deployments: All on premises versions of Ivanti Neurons for ITSM up to and including version 2025.4 are vulnerable. This encompasses the 2025.2.x, 2025.3.x, and 2025.4 release branches, as well as any earlier versions.

Cloud (SaaS) Deployments: All cloud versions up to and including 2026.1 (prior to Patch 9) and 2026.2 (prior to Patch 1) were affected. These have been automatically remediated by Ivanti as of May 24 and 25, 2026.

Fixed Versions:

Deployment TypeFixed Versions
On Premises2025.4 Patch 1, 2025.3 Patch 1, 2025.2 Patch 1
Cloud (SaaS)2026.1 Patch 9, 2026.2 Patch 1 (auto deployed)

The divergence between cloud and on premises remediation timelines is a critical operational detail. SaaS customers have been protected since May 24 and 25, while on premises deployments remain vulnerable until administrators manually apply the patch. Organizations running on premises Ivanti Neurons for ITSM should treat patching as an emergency operation, not a scheduled maintenance item.

Vendor Security History

Ivanti has faced a significant and recurring pattern of critical security vulnerabilities across multiple product lines over the 2024 to 2026 period, several of which have been actively exploited in the wild and added to the CISA Known Exploited Vulnerabilities catalog:

YearProductCVE(s)SeverityExploited in the WildCISA KEV
Jan 2024Connect Secure / Policy SecureCVE-2023-46805, CVE-2024-21887CriticalYesYes
Jan 2025Connect SecureCVE-2025-0282CriticalYesYes
Apr 2025Connect SecureCVE-2025-22457CriticalYesYes
Jan 2026EPMMCVE-2026-12819.8YesYes
Apr 2026EPMMCVE-2026-13409.8YesYes
Apr 2026Neurons for ITSMCVE-2026-4913, CVE-2026-4914MediumNoNo
Jun 2026Neurons for ITSMCVE-2026-96148.8No (per Ivanti)Not yet

China nexus threat actors have been associated with exploitation of Ivanti Connect Secure vulnerabilities dating back to December 2023, with CISA issuing emergency directives. The EPMM zero days (CVE-2026-1281 and CVE-2026-1340) were exploited with widespread web shell deployment and credential harvesting before patches were available. CISA issued updated RESURGE malware analysis in February 2026, highlighting a stealthy active threat linked to Ivanti compromise that can remain dormant within compromised environments.

While Neurons for ITSM has not yet experienced confirmed in the wild exploitation, the precedent set by other Ivanti products warrants heightened vigilance. Threat actors that have invested in Ivanti exploitation tooling may expand their focus to the ITSM platform, particularly given the administrative access this CVE provides.

Ivanti has stated it is not aware of active exploitation of CVE-2026-9614 prior to disclosure. However, the low exploitation complexity combined with Ivanti's track record of rapid weaponization makes post disclosure exploitation a realistic concern. Organizations should conduct post remediation reviews of administrative access logs covering the window between disclosure (June 1, 2026) and patch application, as any exploitation would manifest as non admin accounts performing admin level operations.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization