- Ivanti launched a patch for a failure of critical gravity in the neurons for STIM
- The fault can be abused to obtain administration rights in the objective systems
- There is no evidence of abuse in nature
Ivanti has paved a critical severity vulnerability in its neurons for the ITSM Services Management Solution, and urges users to apply the solution and mitigate the risk as soon as possible.
Neurons for ITSM is a IT service management platform with AI used by IT departments in medium -sized companies to automate, rationalize and administer services, incidents and IT support assets in their organizations.
An exact number of users is unknown, but Ivanti claims to be attending tens of thousands of organizations with their portfolio, so it is safe to assume that the attack surface is relatively large.
Low complexity attacks
The vulnerability in question is tracked as CVE-2025-22462. NVD describes it as an authentication bypass in ITSM neurons in the versions before 2023.4, 2024.2 and 2024.3 with the security patch of May 2025. It affects only instances in the former and allows a threat actor not remote to obtain administration rights over the target system.
The company says that, depending on the system configuration, vulnerability can be exploited in low complexity attacks. That, however, still does not seem to have happened, since Ivanti states that there is no evidence of nature abuse so far.
Ivanti also suggested that organizations should follow their guide, since they will then be less exposed to possible attacks.
“Clients who have followed the Ivanti guide to ensure the IIS website and restricted access to a limited number of IP addresses and domain names have a reduced risk for their environment,” said the company in a notice. “Customers who have users log in to the solution from outside the network of their company also have a reduced risk for their environment if they ensure that the solution is configured with a DMZ.”
This is the second important vulnerability that Ivanti poured this week, after addressing a critical severity error in its Mobile Software (EPMM) of Endpoint Manager.
Through Bleepingcomputer
