HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-9614Published Modified CNA ivanti

CVE-2026-9614: An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access

An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
2025.2 Patch 1
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper access control vulnerability in Ivanti Neurons for ITSM (both cloud and on-premises deployments) allows a remote authenticated attacker to escalate their privileges to administrative level. The service is exposed over the network and requires only a low-privilege account to exploit, with no victim interaction needed (CVSS 8.8, HIGH). Successful exploitation gives the attacker full administrative control over the ITSM instance, enabling read, write, and denial-of-service actions against the platform. Patched-image rebuilds at the fixed versions (2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1, 2026.1 Patch 9, and 2026.2 Patch 1) are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-9614 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package Ivanti Neurons for ITSM components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting findings against each customer environment's compliance policy, then routing alerts to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at each of the five fix versions (2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1, 2026.1 Patch 9, 2026.2 Patch 1) is available on HarborGuard for affected environments. For customers who opt into auto-remediation, HarborGuard can run a rebuild alongside a regression test suite and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Ivanti Neurons for ITSM service over the network (AV:N), meaning any internet- or intranet-exposed deployment is in scope.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege account on the ITSM instance (PR:L); anonymous access alone is not sufficient.

  • Victim interactionNot required

    No action from a legitimate user or administrator is needed to trigger the vulnerability (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and requires no special race conditions or environmental setup (AC:L); an attacker with a valid account can execute the privilege escalation consistently.

Blast Radius

  • The attacker gains administrative control over the ITSM instance, giving full read access to all tickets, user records, and configuration data stored in the platform.
  • With administrative write access, the attacker can modify or delete service records, workflows, and user account settings.
  • The attacker can create or elevate additional accounts, persisting access even after the initial vulnerability is remediated.
  • Administrative access enables disabling of integrations or core ITSM services, disrupting operations for teams dependent on the platform.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9614 is active across connected registries and pipelines the moment the advisory is ingested, covering any image that bundles Ivanti Neurons for ITSM. Findings are scored at CVSS 8.8 (HIGH) and routed according to each customer environment's compliance policy. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild at one of the five patched versions, run regression tests, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and test results are staged and surfaced in the remediation queue for engineer review. Organizations that cannot immediately apply a patch should consider restricting network access to the ITSM service to trusted IP ranges and auditing active user accounts for unexpected privilege changes while the patch is staged.

See how HarborGuard automates this

Fix available

2025.2 Patch 12025.3 Patch 12025.4 Patch 12026.1 Patch 92026.2 Patch 1
Affected packages
  • Ivanti / Neurons for ITSM (On-Premises)
    Fixed in 2025.4 Patch 1, 2025.3 Patch 1, 2025.2 Patch 1
  • Ivanti / Neurons for ITSM (Cloud)
    Fixed in 2026.1 Patch 9, 2026.2 Patch 1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References