Ivanti has released security updates to address a critical authentication bypass vulnerability in its Neurons for ITSM (IT Service Management) solution. The flaw, disclosed on May 13, 2025, could allow unauthenticated attackers to gain administrative access to vulnerable systems.
Vulnerability Details
The vulnerability, tracked as CVE-2025-22462, affects on-premises instances of Ivanti Neurons for ITSM versions 2023.4, 2024.2, 2024.3, and earlier releases. With a CVSS score of 9.8, it is considered critical.
According to Ivanti’s advisory, successful exploitation of this flaw could allow remote attackers to gain full administrative control of affected systems. However, the risk varies depending on the system’s configuration.
Risk Factors and Recommendations
Ivanti notes that customers who have followed their guidance on securing the IIS website and restricting access to trusted IP addresses and domain names are at a reduced risk of exploitation. Additionally, organizations that have configured their systems with a DMZ for external user access face a lower risk of attack.
Security Patches Released
Ivanti has made security patches available for the affected versions through its download portal. The updates are specific to each version of Ivanti Neurons for ITSM:
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
|---|---|---|---|
| Ivanti Neurons for ITSM (on-prem only) | 2023.4 | 2023.4 May 2025 Security Patch | Download Available in ILS |
| Ivanti Neurons for ITSM (on-prem only) | 2024.2 | 2024.2 May 2025 Security Patch | Download Available in ILS |
| Ivanti Neurons for ITSM (on-prem only) | 2024.3 | 2024.3 May 2025 Security Patch | Download Available in ILS |
Environmental Risk Assessment
While the base CVSS score indicates critical severity, Ivanti has provided an environmental score of 6.9 (Medium) for organizations that have implemented recommended security configurations. This adjusted score applies to environments where the ITSM instance is only accessible to high-privileged users through network restrictions or other security controls.
No Evidence of Active Exploitation
Ivanti has confirmed that no active exploitation of this vulnerability has been detected at the time of disclosure. The flaw was identified through Ivanti’s responsible disclosure program.
Recent Security Issues
This vulnerability follows a series of security concerns affecting Ivanti products in the past year. In April 2025, Ivanti disclosed a critical vulnerability in its Connect Secure VPN appliances (CVE-2025-22457), which was actively exploited by suspected China-nexus threat actors.
