CVE-2026-9614: Ivanti Neurons for ITSM Privilege Escalation Vulnerability (CVSS 8.8)
Ivanti Neurons for ITSM contains an access control flaw that lets a logged-in user escalate their privileges to admin level. This affects both cloud and on-premises deployments. An attacker who already has valid credentials can exploit this to gain full administrative control without needing to bypass additional authentication steps.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9614 is an Improper Access Control vulnerability (CWE-284) in Ivanti Neurons for ITSM affecting both cloud and on-premises variants. The vulnerability allows a remote authenticated attacker to escalate privileges to administrator level. The CVSS 3.1 score of 8.8 (HIGH) reflects a network-accessible vector with low attack complexity and no user interaction required post-authentication. The vulnerability results in complete compromise of confidentiality, integrity, and availability.
Business impact
Successful exploitation grants an attacker full administrative access to your Neurons for ITSM instance, enabling them to modify IT service configurations, access sensitive incident and change data, manipulate user accounts, and potentially disrupt critical IT operations. For organizations relying on ITSM for incident response and service delivery, this creates severe operational and compliance risk.
Affected systems
Ivanti Neurons for ITSM is affected in both deployment models: cloud-hosted instances and on-premises installations. Any organization running Neurons for ITSM should assess their instance versions and deployment method. The vulnerability requires an authenticated session, meaning it poses the greatest risk in environments with broad internal user access or where service accounts have wide distribution.
Exploitability
Exploitation requires valid user credentials to the Neurons for ITSM platform—the attacker cannot exploit this remotely without authentication. However, once authenticated, the privilege escalation path has low complexity and no user interaction requirement, making it trivial to execute for anyone with basic system access. This is particularly concerning in scenarios involving compromised user accounts, insider threats, or service account abuse.
Remediation
Apply security patches from Ivanti for Neurons for ITSM as they become available. Verify patch availability through the Ivanti security advisory portal and your instance's update channel. Additionally, implement network-level controls restricting access to Neurons for ITSM admin interfaces, enforce strong authentication (MFA where available), and audit user privilege assignments to remove unnecessary admin roles.
Patch guidance
Consult Ivanti's official security advisory for the specific patch versions addressing CVE-2026-9614 for your Neurons for ITSM deployment model (cloud vs. on-premises). Apply patches in a controlled manner following your change management process, prioritizing production instances. Verify patch application by confirming version numbers post-update and reviewing Ivanti's advisory checklist. Test in a non-production environment first if feasible.
Detection guidance
Monitor authentication logs for unusual privilege escalation attempts or role changes from standard user accounts to admin roles within Neurons for ITSM. Audit logs should be reviewed for suspicious admin activity shortly after user login events. Consider alerting on rapid role elevation patterns or admin actions by accounts not typically assigned administrative duties. Log aggregation and SIEM integration with your Ivanti instance can enhance detection of exploitation patterns.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score, complete system compromise potential, and the authenticated but low-complexity attack path. Organizations using Neurons for ITSM for critical IT service delivery should treat this as urgent. Prioritize based on: (1) whether your instance is internet-accessible, (2) the number of users with Neurons access, and (3) your organization's dependency on ITSM availability and data confidentiality.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for prior authentication (PR:L), no user interaction after compromise (UI:N), unchanged scope (S:U), and complete impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The score indicates a serious vulnerability requiring rapid remediation, though the authenticated prerequisite prevents autonomous worm-like propagation.
Frequently asked questions
Can this vulnerability be exploited without any credentials?
No. CVE-2026-9614 requires a valid authenticated session to Neurons for ITSM. An attacker must have legitimate user credentials or compromised credentials to initiate the exploit. This means perimeter-level exposure is limited, but insider threats and credential compromise scenarios carry elevated risk.
Does this affect both cloud and on-premises Neurons for ITSM equally?
Yes, the vulnerability affects both deployment models. Cloud customers should coordinate with Ivanti for patch availability, as cloud instances may be patched by the vendor on a rolling basis. On-premises customers have more control over patching timelines but must actively apply updates.
What should I do immediately if I cannot patch right away?
Restrict network access to your Neurons for ITSM instance using firewall rules, limiting access to trusted internal networks and VPNs only. Enforce MFA if available. Audit and remove unnecessary administrative role assignments. Monitor admin activity logs for anomalous escalations. These controls reduce attack surface while patch deployment is arranged.
Is this vulnerability included in the CISA KEV catalog?
No, CVE-2026-9614 is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning there is no evidence of active in-the-wild exploitation at this time. However, the HIGH severity and low exploitation complexity warrant proactive patching regardless of KEV status.
This analysis is provided for informational purposes and does not constitute legal or professional security advice. Organizations should verify all patch versions, CVSS scores, and vulnerability details directly from Ivanti's official security advisories before taking remediation actions. The vulnerability details and vendor advisory guidance may be updated; refer to the original CVE record and vendor disclosures for the most current information. SEC.co makes no warranty regarding the completeness or accuracy of detection signatures or remediation steps provided herein. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-22426HIGHAndroid ComputerEngine URI Escalation Privilege Vulnerability
- CVE-2026-32995HIGHRocket.Chat DDP Authentication Bypass Exposes All Private Messages
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-37235HIGHFlexRIC E42 Message Authentication Bypass – RIC Denial of Service
- CVE-2026-40715HIGHDell ThinOS 10 Privilege Escalation Vulnerability
- CVE-2026-45296HIGHOpenReplay Multi-Tenant Authorization Bypass – Session Data Exposure
- CVE-2026-45707HIGHn8n-MCP Multi-Tenant Privilege Escalation (CVSS 8.1 HIGH)
- CVE-2026-46818HIGHOracle E-Business Suite Payments File Transmission Vulnerability (CVSS 7.4)