Ivanti’s ITSM Under the Microscope: How Two Overlooked Bugs Could Have Let Attackers Linger

It started as a routine Tuesday for Ivanti customers until a quiet advisory revealed two vulnerabilities that could have given cybercriminals a foothold - long after IT thought they’d locked the doors. With the patch already pushed to cloud users and on-premises admins rushing to update, the episode raises questions about how easily attackers can slip through the cracks in even the most trusted IT management systems.

Ivanti, a heavyweight in IT service management, has quietly patched two vulnerabilities that - while not headline-grabbing in their severity - could have enabled remote attackers to persist in environments thought to be secured. The first flaw, CVE-2026-4913, is deceptively simple: an “improper protection of an alternate path” bug that lets a remote, authenticated attacker retain access even after their account is disabled. In short, an insider or compromised account could outstay its welcome, evading standard offboarding procedures.

The second vulnerability, CVE-2026-4914, is a classic stored cross-site scripting (XSS) issue. Exploitable only by authenticated users and requiring some interaction, it might sound limited - but in the wrong hands, could allow one user to siphon session data from another, potentially exposing sensitive information within enterprise environments. Both bugs were fixed in Ivanti Neurons for ITSM version 2025.4, and while the company says there’s no sign of exploitation in the wild, the potential for stealthy persistence and lateral movement is real.

For cloud customers, Ivanti took swift action, applying the fix across all environments by December 12, 2025. On-premises users, however, must act proactively to secure their deployments - a familiar split in the era of hybrid IT. The company's transparency offers some reassurance, but also highlights the ongoing cat-and-mouse game between software vendors and threat actors.

Notably, Ivanti clarified that other high-profile vulnerabilities - such as the OpenSSH bugs disclosed earlier this year - do not affect their core products, although updated versions are promised in future releases. This layered approach to patching underscores the complexity of modern IT estates, where even “medium” vulnerabilities can cascade into significant breaches when overlooked.

With no evidence of active exploitation, this incident may fade from the headlines. But for security teams, it’s a timely reminder: in the world of ITSM, even moderate flaws can open the door to persistent threats. Vigilance, rapid patching, and a healthy skepticism are still the best defense against the next silent breach.

WIKICROOK

• CVE: CVE, or Common Vulnerabilities and Exposures, is a system for uniquely identifying and tracking publicly known cybersecurity flaws in software and hardware.
• XSS: XSS is a web vulnerability where attackers inject malicious scripts into webpages, risking user data and security. Proper input validation helps prevent it.
• On: On-device processing means data is handled locally on your device, not sent to external servers, improving privacy and security.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Authentication: Authentication is the process of verifying a user's identity before allowing access to systems or data, using methods like passwords or biometrics.