Ivanti has launched security updates for its Neurons for ITSM IT service administration answer that mitigate a crucial authentication bypass vulnerability.
Tracked as CVE-2025-22462, the security flaw can let unauthenticated attackers acquire administrative entry to unpatched techniques in low-complexity assaults, relying on system configuration.
As the corporate highlighted in a security advisory launched at present, organizations that adopted its steering are much less uncovered to assaults.
“Prospects who’ve adopted Ivanti’s steering on securing the IIS web site and restricted entry to a restricted variety of IP addresses and domains have a lowered danger to their setting,” Ivanti mentioned.
“Prospects who’ve customers log into the answer from exterior their firm community even have a lowered danger to their setting in the event that they be sure that the answer is configured with a DMZ.”
Ivanti added that CVE-2025-22462 solely impacts on-premises situations operating variations 2023.4, 2024.2, 2024.3, and earlier, and mentioned that it discovered no proof that the vulnerability is being exploited to focus on prospects.
| Product Identify | Affected Model(s) | Resolved Model(s) |
| Ivanti Neurons for ITSM (on-prem solely) | 2023.4, 2024.2, and 2024.3 | 2023.4 Could 2025 Safety Patch 2024.2 Could 2025 Safety Patch 2024.3 Could 2025 Safety Patch |
The corporate additionally urged prospects at present to patch a default credentials security flaw (CVE-2025-22460) in its Cloud Companies Equipment (CSA) that may let native authenticated attackers escalate privileges on susceptible techniques.
Whereas this vulnerability is not exploited within the wild both, Ivanti warned that the patch will not be utilized accurately after putting in at present’s security updates and requested admins to reinstall from scratch or use these mitigation steps to make sure their community is protected against potential assaults.
“It has been recognized that if a Cloud Companies Software set up is upgraded to model 5.0.5, this repair just isn’t robotically utilized as supposed. This can be addressed in a future launch,” Ivanti mentioned.
Final month, the corporate additionally patched a crucial Join Safe zero-day exploited by the UNC5221 China-linked espionage group in distant code execution assaults to deploy malware since at the least mid-March 2025.
As CISA and the FBI warned in January, risk actors are nonetheless exploiting Ivanti Cloud Service Home equipment (CSA) security vulnerabilities patched since September to breach susceptible networks.
Over the past 12 months, a number of different Ivanti security flaws have been exploited in zero-day assaults focusing on the corporate’s VPN home equipment and ICS, IPS, and ZTA gateways.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and tips on how to defend in opposition to them.
