An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Neurons_for_itsm | Ivanti | * | 2023.4 (excluding) |
Neurons_for_itsm | Ivanti | 2023.4 (including) | 2023.4 (including) |
Neurons_for_itsm | Ivanti | 2024.2 (including) | 2024.2 (including) |
Neurons_for_itsm | Ivanti | 2024.3 (including) | 2024.3 (including) |