CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-22462

CVSS 9.8v3.1pub. 2025-05-13upd. 2025-07-16

An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and involves the ability to bypass authentication mechanisms through an alternative access path or communication channel not protected with adequate identity verification. An attacker can send a properly crafted network request without providing any credentials and gain access with administrator privileges. The attack is possible entirely remotely, over the network, without prior system access or user interaction.

Impact

An attacker gains full administrative access to the Ivanti Neurons for ITSM system, which can lead to takeover of the ITSM platform, disclosure or modification of sensitive data (including ticket data, configuration, user data), as well as further lateral movement in the organization's infrastructure.

Mitigation & patch

Apply the security patch from May 2025 as soon as possible for the appropriate product branch: 2023.4, 2024.2, or 2024.3. Detailed patch installation instructions are available in Ivanti's official security advisory at: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-on-premises-only-CVE-2025-22462. Until the patch is deployed, it is recommended to restrict access to the administrative interface only to trusted networks or VPN.

Who is affected

Ivanti Neurons for ITSM (on-premises deployments only) in versions prior to 2023.4, 2024.2, and 2024.3 without the security patch from May 2025 applied. SaaS (cloud) versions are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ivanti Neurons For Itsm

    APP
    Ivanti
    2023.42024.22024.3< 2023.4
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-7569CRITICAL9.6PL ✓ten sam produkt

Ujawnienie OIDC client secret w Ivanti Neurons for ITSM przez debug info

CVE-2023-46808CRITICAL9.9PL ✓ten sam produkt

Ivanti Neurons for ITSM — podatność file upload umożliwiająca zapis plików na serwerze

CVE-2024-7570HIGH8.3ten sam produkt

Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows...

CVE-2024-22059HIGH8.8ten sam produkt

A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user t...

CVE-2024-22060MEDIUM4.9ten sam produkt

An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authent...