Ivanti on Tuesday updated Neurons for ITSM to resolve two medium-severity vulnerabilities affecting both on-premises and cloud deployments.
The first bug, tracked as CVE-2026-4913 (CVSS score of 5.7), is described as the improper protection of an alternate path.
According to Ivanti, it could allow “a remote authenticated attacker to retain access when their account has been disabled”.
The second flaw, CVE-2026-4914 (CVSS score of 5.4), is described as a stored cross-site scripting (XSS) issue that can be abused remotely to obtain limited information from other user sessions.
Successful exploitation of the weakness requires authentication and user interaction, Ivanti notes in its advisory.
Both vulnerabilities were resolved in Ivanti Neurons for ITSM version 2025.4. Users are advised to update their deployments as soon as possible.
“No action is required for customers using the cloud solution as the fix was applied to all cloud environments on 12 December 2025,” Ivanti says.
The company says it is not aware of either of these vulnerabilities being exploited in the wild. No other Ivanti products are affected.
On Tuesday, Ivanti also updated its advisory on CVE-2025-26465 and CVE-2025-26466, two OpenSSH flaws disclosed in February 2026. Ivanti EPMM, Sentry and Connector are not affected by the two bugs, but an updated OpenSSH version will be included in future releases, the company says.
Related: Organizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities
Related: SAP Patches Critical ABAP Vulnerability
Related: Fortinet, Ivanti, Intel Patch High-Severity Vulnerabilities
Related: Juniper Networks Patches Dozens of Junos OS Vulnerabilities
