Two newly disclosed vulnerabilities in Ivanti Neurons for IT Service Management (CVE-2026-4913 and CVE-2026-4914) could allow authenticated attackers to persist in user sessions or inject stored XSS payloads to expose session data. Ivanti has applied cloud fixes on December 12, 2025 and released a patched version 2025.4 for all customers, with on-premises users required to update via the Ivanti License System. #IvantiNeurons #CVE-2026-4913_4914
Keypoints
- CVE-2026-4913 allows authenticated attackers to retain access after account deactivation via an alternate path.
- CVE-2026-4914 is a stored cross-site scripting flaw that can expose limited session data when users interact.
- Both vulnerabilities affect Ivanti Neurons for ITSM versions 2025.3 and earlier in cloud and on-premises deployments.
- Ivanti automatically patched cloud environments on December 12, 2025 and included fixes in version 2025.4.
- On-premises customers must update to 2025.4 through the Ivanti License System and can seek help via the Success Portal.
Read More: https://thecyberexpress.com/itsm-vulnerabilities-ivanti/