# Ivanti Neurons for ITSM: Critical Vulnerabilities Exposed Account Persistence and Cross-Session Data Access


Ivanti has patched two significant vulnerabilities in its Neurons for ITSM platform that could allow attackers to maintain unauthorized access even after their accounts have been disabled and to intercept sensitive information from other user sessions. The flaws, disclosed by the vendor, underscore ongoing security challenges in enterprise IT service management platforms that serve as central repositories for organizational infrastructure data.


## The Threat


The two vulnerabilities in Ivanti Neurons for ITSM represent distinct but equally troubling attack vectors. The first vulnerability allows a remote attacker to bypass account deactivation controls—a fundamental security mechanism designed to prevent terminated employees, revoked service accounts, or compromised users from accessing sensitive systems. The second vulnerability enables attackers to view or extract data from other user sessions, raising concerns about data isolation and session management within the platform.


Key Risk Factors:

  • Post-Termination Persistence: Attackers could maintain access to ITSM data after accounts should have been revoked
  • Cross-Session Data Leakage: Information from other authenticated users could be exposed to unauthorized parties
  • Remote Exploitation: Both flaws require only network access—no physical access, local authentication, or user interaction needed

    • ## Background: Understanding Ivanti Neurons and ITSM


    Ivanti Neurons for ITSM is an enterprise-grade IT service management platform used by organizations worldwide to manage IT operations, service desk functions, asset management, and IT service continuity. The platform serves as a centralized hub for managing incidents, changes, problems, and organizational assets—making it a high-value target for attackers seeking operational disruption or intelligence gathering.


    Why ITSM Platforms Matter to Security:

  • Contain detailed information about infrastructure, applications, and network topology
  • Include access credentials and API keys for downstream systems
  • Store change logs and historical data useful for reconnaissance
  • Manage service levels and operational criticality data
  • Often integrated with identity management and authentication systems

    • ITSM platform compromises can provide attackers with a springboard for lateral movement across enterprise environments, making the security of these platforms critical to overall organizational resilience.


    ## Technical Details


    ### Vulnerability #1: Account Persistence After Deactivation


    This vulnerability appears to stem from incomplete session invalidation or improper handling of authentication state after account termination. When an administrator disables or removes a user account, the system may not properly revoke existing authentication tokens or sessions associated with that account.


    Exploitation Scenario:

    1. An attacker gains credentials for an ITSM user account through phishing, social engineering, or credential harvesting

    2. They establish an authenticated session and maintain a persistent connection

    3. The account owner or administrator discovers the compromise and immediately disables the account

    4. The attacker's session remains valid despite the account being disabled

    5. The attacker continues accessing ITSM data indefinitely


    This is a critical flaw because it violates the fundamental expectation that account termination immediately revokes access.


    ### Vulnerability #2: Cross-Session Information Disclosure


    The second vulnerability involves improper data isolation between user sessions. Rather than strictly segregating data and operations based on the authenticated user's permissions, the system may leak information from other concurrent sessions.


    Exploitation Scenario:

    1. A legitimate user logs into the ITSM platform and views sensitive incident data

    2. An attacker in a different session exploits the vulnerability to access the legitimate user's session data

    3. Information such as incident details, change requests, asset data, or customer information becomes visible across session boundaries


    ## Who Is Affected


    Organizations using Ivanti Neurons for ITSM should be considered at immediate risk, particularly:

  • Enterprise IT departments managing critical infrastructure through the platform
  • Managed Service Providers (MSPs) offering ITSM services to multiple customers
  • Financial institutions relying on ITSM for operational continuity
  • Healthcare organizations using the platform for IT operations
  • Government agencies managing IT infrastructure

    • The platform's use as a central operational hub means that compromise could have cascading effects across dependent systems and services.


    ## Patching and Mitigation


    Ivanti has released patches for both vulnerabilities, though patch availability and version coverage may vary. Organizations should:


    Immediate Actions:

  • Check Ivanti's security advisories for affected versions
  • Prioritize patching based on risk classification
  • Review change logs for suspicious account activity
  • Validate all active sessions and disable any unauthorized connections

    • Remediation Measures:

  • Apply patches from Ivanti as soon as possible
  • Implement network segmentation to limit ITSM platform access
  • Enable multi-factor authentication (MFA) for all ITSM accounts
  • Force re-authentication for sensitive operations
  • Monitor session activity for anomalies

    • ## Implications for Organizations


    These vulnerabilities expose a broader supply chain risk: enterprise platforms used for critical operational management functions may contain security flaws that undermine fundamental access control mechanisms.


    Operational Risk:

  • Unauthorized Access: Attackers maintaining persistent access to IT operations data
  • Intelligence Gathering: Detailed information about infrastructure, applications, and security posture
  • Lateral Movement: Using ITSM data to identify and target additional systems
  • Compliance Violations: Data exposure may trigger regulatory obligations (SOC 2, HIPAA, PCI-DSS)

    • Business Impact:

  • Potential downtime from discovered breaches requiring investigation
  • Data breach notification costs if customer information was exposed
  • Damage to customer trust and vendor relationships
  • Regulatory fines for inadequate access controls

    • ## Recommendations


    ### For ITSM Administrators


    1. Inventory your deployment: Document all instances of Ivanti Neurons for ITSM and their versions

    2. Establish patch timeline: Plan rollout based on risk classification and business impact

    3. Test patches in staging: Validate patches in non-production environments before production deployment

    4. Monitor session activity: Implement logging for user sessions and access patterns

    5. Audit account status: Review disabled and terminated accounts to ensure no orphaned sessions remain


    ### For Security Teams


    1. Assume breach: Investigate whether disabled accounts were actually logged out

    2. Review access logs: Search for session activity from terminated or disabled accounts

    3. Verify data isolation: Confirm that user sessions are properly segregated

    4. Implement compensating controls: Network-level access restrictions if patches are delayed

    5. Threat hunt: Search for indicators of exploitation in ITSM logs and network traffic


    ### For DevOps and Infrastructure Teams


    1. Review dependencies: Identify systems and processes relying on ITSM data

    2. Plan downtime: Schedule patching during maintenance windows if possible

    3. Document recovery: Maintain procedures for restoring ITSM functionality if compromise is detected

    4. Update access credentials: Rotate any credentials exposed within ITSM if breach suspected

    5. Validate integrations: Test integrations with dependent systems post-patch


    ## Looking Forward


    These vulnerabilities highlight the importance of rigorous security testing in enterprise platform software, particularly for systems managing critical operational infrastructure. Organizations should consider security maturity when selecting ITSM vendors and should advocate for security-first development practices.


    As ITSM platforms become increasingly central to IT operations, the consequences of their compromise grow proportionally. Rapid patching, network segmentation, and comprehensive monitoring are not optional—they are baseline requirements for organizations depending on these systems.


    ---


    Severity Classification: HIGH — Remote, unauthenticated exploitation potential combined with access to sensitive operational data