- Ivanti released a patch for a critical gravity fault in the neurons for ITSM
- The fault can be abused to obtain administration rights on target systems
- There is no evidence of abuse in the wild
Ivanti has corrected a vulnerability of critical severity in its neurons for the ITSM IT services management solution, and urges users to apply the fix and to mitigate the risk as soon as possible.
ITSM neurons are a IT services management platform fueled by AI used by IT departments in entertainment environment companies to automate, rationalize and manage IT support services, incidents and assets in their organizations.
An exact number of users is unknown, but Ivanti claims to be tens of thousands of organizations with its portfolio, it is therefore prudent to assume that the attack surface is relatively important.
Low complexity attacks
The vulnerability in question is followed under the name of CVE-2025-22462. NVD describes it as an authentication of authentication in the neurons for ITSM in the versions before 2023.4, 2024.2 and 2024.3 with the security patch of May 2025. It only affects on -site bodies and allows a threat actor not authenticated to obtain administration rights on the target system.
The company claims that the configuration of the system, vulnerability can be used in low -complex attacks. However, this does not yet seem to have happened, because Ivanti affirms that there is no evidence of abuse in nature so far.
Ivanti also suggested that organizations should follow its directives, as they will be less exposed to potential attacks.
“Customers who have followed IVANT’s directives on securing the IIS website and restricted access to a limited number of IP addresses and domain names present a reduced risk to their environment,” said the company in a council. “Customers who have users connect to the solution outside their business network also present a reduced risk to their environment if they guarantee that the solution is configured with a DMZ.”
This is the second major vulnerability Ivanti corrected this week, after addressing a critical severity bug in its mobile software (EPMM) (EPMM).
Via Bleeping Compompute
