Critical authentication bypass vulnerability reported in Ivanti Neurons for ITSM
Take action: If you're running on-premises Ivanti Neurons for ITSM versions 2023.4, 2024.2, 2024.3 or earlier, prioritize patching it with the May 2025 Security Patch. As a mitigating measures, ensure your IIS website has restricted access to specific IP addresses and domain names, and implement a DMZ configuration if users access the solution from outside your company network.
Learn More
Ivanti has released security updates to address a critical authentication bypass vulnerability affecting its Neurons for ITSM (IT Service Management) solution.
- CVE-2025-22462 (CVSS score 9.8, Critical) - Authentication Bypass in Ivanti Neurons for ITSM. It allows unauthenticated remote attackers to gain administrative access. This flaw, when successfully exploited, could allow unauthenticated remote attackers to gain administrative access to vulnerable systems.
The vulnerability impacts on-premises instances of Ivanti Neurons for ITSM running versions 2023.4, 2024.2, 2024.3, and earlier. Cloud-based deployments are not affected by this security issue.
The company has confirmed that there is no evidence of active exploitation of this vulnerability at the time of disclosure.
Organizations that have followed Ivanti's guidance on securing the IIS website and restricting access to a limited number of IP addresses and domain names have substantially reduced exposure to this vulnerability. Additionally, customers who have configured their solution with a DMZ for external user access also face lower risk.
Ivanti has released security patches to address this vulnerability. Affected customers should install one of the following updates:
- 2023.4 May 2025 Security Patch
- 2024.2 May 2025 Security Patch
- 2024.3 May 2025 Security Patch
These patches are available for download through the Ivanti Licensing System (ILS). Detailed installation instructions are provided in the documentation accompanying the download files.
