01 · The Real Story
This is a master key hidden behind the employee badge reader, not a crowbar at the front door
CVE-2026-9614 is an authorization failure in Ivanti Neurons for ITSM that lets a remote authenticated low-privilege user reach admin-only functionality and end up with administrative access. Authoritative version data shows the affected ranges are On-Premises default-affected until 2025.2 Patch 1 / 2025.3 Patch 1 / 2025.4 Patch 1 and Cloud default-affected until 2026.1 Patch 9 / 2026.2 Patch 1. Ivanti’s SaaS service was already remediated on May 24–25, 2026, so the remaining customer-owned risk is mainly on on-prem deployments.
The vendor’s 8.8 HIGH score is technically understandable because the end state is full admin inside the ITSM app, but it overstates fleet-wide urgency. The biggest real-world friction is PR:L: the attacker needs a valid account first, which means theft of employee/helpdesk credentials, insider abuse, or an earlier compromise stage. That changes this from an internet-first breach path into a post-auth privilege escalation, and the very low EPSS 0.00363 plus no KEV / no reported exploitation pushes it down another notch.
"Serious inside the app, but not an edge-fire: this needs creds first and Ivanti already fixed SaaS."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Get any working ITSM login
The attacker first needs a valid low-privilege account in the target Ivanti ITSM tenant or on-prem instance. In practice this is usually obtained with stolen employee credentials, contractor access, a dormant service desk account, or an already-compromised SSO session. Tooling here is boring, not exotic: Evilginx, commodity phishing kits, password spraying against upstream IdP, or simple insider misuse all work better than CVE-specific exploit code.
Conditions required:
- Valid authenticated access to the target ITSM environment
- User account is allowed to reach the application at all
- If SSO-backed, attacker also needs a valid IdP session or successful MFA completion
Where this breaks in practice:
- MFA, conditional access, and IdP logging can stop or expose this before the CVE is touched
- Many ITSM consoles are internal-only, VPN-gated, or reverse-proxied rather than broadly internet-exposed
- This prerequisite already implies post-initial-access or insider position
Detection/coverage: Identity tooling sees this better than vuln scanners do: Entra/Okta sign-in anomalies, impossible travel, new device login, password-spray detections, and VPN auth logs are your early signal.
STEP 02
Map admin-only requests
Once logged in, the attacker probes the web app to identify admin workflows whose authorization checks are weak or missing. Typical tooling is Burp Suite Repeater/Intruder, browser dev tools, or
curl to replay authenticated requests and compare normal-user versus admin-only endpoints. No public PoC was found, so exploitation currently looks like manual request tampering rather than turnkey automation.Conditions required:
- Authenticated session cookie or bearer token
- Reachability to the ITSM web interface
- Knowledge of or ability to discover privileged endpoints
Where this breaks in practice:
- Lack of public PoC means operators must do their own app recon
- Tenant customizations and role models can change reachable workflows
- App-layer logging may record failed attempts or unusual endpoint access
Detection/coverage: DAST and generic authenticated web scanners may miss business-logic authz flaws. Web logs, reverse proxy telemetry, and unusual access to admin paths by low-priv roles are more useful.
STEP 03
Replay crafted authorized-looking requests
The exploit itself is the authorization bypass: the attacker sends crafted authenticated requests that the server mishandles as if the caller were an administrator. Think Burp Repeater or
Invoke-WebRequest/curl, not shellcode. If successful, the user crosses from ordinary role scope into effective ITSM admin control.Conditions required:
- The target instance is on a vulnerable build
- The attacker can hit the specific vulnerable workflow or API path
- Server-side authorization is not correctly revalidated
Where this breaks in practice:
- Patched SaaS tenants are already out of scope
- Only on-prem customers that have not moved to the fixed patch trains remain customer-actionable
- Perimeter controls do not matter much if the app is only internally reachable
Detection/coverage: Most network IDS signatures will be weak because the traffic is authenticated HTTPS that resembles normal app use. Application audit logs showing privilege changes, role edits, or admin API use by non-admin principals are the key detection surface.
STEP 04
Turn app admin into operational leverage
With admin in ITSM, the attacker can create persistence inside the platform, alter roles, change workflows and approvals, tamper tickets, read sensitive service data, or abuse integrations. Tooling shifts to the product UI, its APIs, and any downstream connectors the platform holds. The blast radius is significant inside the service-management ecosystem, but it is still bounded by where ITSM is integrated and what that admin role actually controls.
Conditions required:
- Successful privilege escalation inside Ivanti ITSM
- Admin role is allowed to manage integrations, workflows, or users
- Sensitive data or automations actually live in this platform
Where this breaks in practice:
- ITSM admin is powerful but not automatically domain admin or hypervisor admin
- Well-segmented integrations and secret vaulting can limit follow-on damage
- Change records and audit trails can expose tampering after the fact
Detection/coverage: Monitor admin-role assignment events, new integration keys, workflow edits, approval policy changes, and bulk ticket or asset modifications. SIEM correlation on 'new admin by low-priv user' is the high-value rule.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public exploitation reported at disclosure; Ivanti said on 2026-06-01 it was not aware of customers being exploited, and the CVE is not in CISA KEV. |
|---|---|
| Proof-of-concept availability | No public PoC located in reviewed open sources as of 2026-06-03; CERT Santé explicitly notes no open-source PoC. |
| EPSS | 0.00363 (~0.36% 30-day exploitation probability), which is a *very low* threat-likelihood signal and aligns with the absence of KEV/exploitation evidence. |
| KEV status | No. Searches against the CISA KEV catalog do not show CVE-2026-9614. |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H means the vendor bakes in authenticated remote access with low privileges required. That is the whole downgrade case: PR:L is a real attacker-position tax. |
| Affected versions | On-Prem: default-affected until 2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1. Cloud: default-affected until 2026.1 Patch 9 and 2026.2 Patch 1. |
| Fixed versions | On-Prem fixes: 2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1. Cloud fixes: 2026.1 Patch 9, 2026.2 Patch 1; Ivanti says SaaS remediation was already deployed on 2026-05-24 and 2026-05-25. |
| Exposure / scanning reality | I did not find reliable public GreyNoise/Shodan/Censys telemetry for this exact CVE or a stable internet fingerprint in reviewed sources. That makes this an internal asset-inventory problem, not a 'count open hosts on Shodan' problem; runZero recommends product-based discovery such as product:"Ivanti Neurons" for this family. |
| Disclosure timeline | Reserved 2026-05-26; published by Ivanti/CVE on 2026-06-01; NVD published 2026-06-01 and remains Awaiting Analysis. |
| Reporter / attribution | No external researcher is named in the reviewed sources. The CNA/assigner is Ivanti and the discovery source in the CVE record is unknown. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (6.4/10)
The decisive factor is attacker position: this bug starts at authenticated remote, not unauthenticated remote, which means the exploit chain already assumes valid user access or prior compromise. The remaining exposed population is also narrower than the label suggests because Ivanti already remediated the cloud service and customer action is concentrated in on-prem estates.
HIGH Version/fix boundaries and cloud-vs-on-prem scope
MEDIUM Real-world exposure assumptions for enterprise deployments
MEDIUM Absence of public PoC and exploitation evidence as of 2026-06-03
Why this verdict
- Start from 8.8, then tax
PR:Lhard — a low-priv authenticated bug is already post-login. In enterprise reality that means stolen user creds, insider misuse, or earlier foothold, so I pull the score down materially from the vendor baseline. - Most of the cloud population is already gone — Ivanti states SaaS remediation landed on May 24–25, 2026. That collapses the reachable population to customers still running vulnerable on-prem builds.
- No exploitation pressure is visible — EPSS 0.00363, no KEV, and no public PoC all argue against urgent attacker demand right now.
Why not higher?
If this were unauthenticated or broadly proven internet-exploitable with active campaigns, it would stay HIGH or go higher because admin inside an ITSM platform can be ugly. But the need for valid credentials is not a footnote; it is the main real-world gate, and the cloud estate has already been centrally fixed.
Why not lower?
Once exploited, the attacker can become ITSM admin, which is enough to tamper workflows, approvals, users, integrations, and sensitive ticketing data. That is too much operational leverage to treat as LOW or backlog-only hygiene, especially in shops where ITSM is tied to identity, automation, or change-control systems.
05 · Compensating Control
What to do — in priority order.
- Constrain who can log in — Reduce the population that can even reach the vulnerable code path: restrict ITSM access to named groups, VPN, managed devices, and conditional-access compliant sessions. For a MEDIUM verdict there is no noisgate mitigation SLA; deploy this now as hygiene while you schedule patching inside the 365-day remediation window.
- Review low-priv role grants — Audit self-service, analyst, contractor, and dormant accounts for unnecessary access to admin-adjacent modules and APIs. Ivanti-linked guidance reviewed by CERT Santé also points to role/permission review as a useful stopgap; with no mitigation SLA for MEDIUM, do this during your next access-governance cycle, not as an emergency war room.
- Alert on admin actions by non-admin identities — Create SIEM detections for role elevation, new admin creation, workflow edits, integration-key creation, and admin API use where the actor was previously low privilege. This is your best tripwire because network signatures are weak against authenticated business-logic abuse.
- Put the app behind stronger session controls — Reinforce SSO, MFA, step-up auth for admin paths, IP/device restrictions, and short session lifetime for elevated roles. This does not fix the bug, but it raises the cost of the credential acquisition stage that the attacker must satisfy first.
What doesn't work
- A WAF-only response does not solve this well, because the exploit is authenticated application logic abuse over normal HTTPS requests, not a clean signature-driven injection pattern.
- MFA alone is not enough once the attacker already has a valid session or compromises a user after login; this flaw lives *after* authentication at the authorization layer.
- Assuming 'we use cloud, so we’re done' does not help mixed estates. It only removes the SaaS slice; on-prem Ivanti ITSM still needs version verification and patching.
06 · Verification
Crowdsourced verification payload.
Run this on an auditor workstation or target Windows app server to evaluate known Ivanti ITSM version data; it does not exploit the bug and needs no admin rights. Invoke it like powershell -ExecutionPolicy Bypass -File .\check-cve-2026-9614.ps1 -Deployment OnPrem -Version 2025.4 -Patch 0 or powershell -ExecutionPolicy Bypass -File .\check-cve-2026-9614.ps1 -Deployment Cloud -Version 2026.1 -Patch 9.
# check-cve-2026-9614.ps1
# Version compliance checker for CVE-2026-9614
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[ValidateSet('OnPrem','Cloud')]
[string]$Deployment,
[Parameter(Mandatory=$true)]
[string]$Version,
[Parameter(Mandatory=$false)]
[int]$Patch = 0
)
function Write-Result {
param(
[string]$State,
[string]$Reason,
[int]$Code
)
Write-Output ("{0} - {1}" -f $State, $Reason)
exit $Code
}
function Parse-Version {
param([string]$InputVersion)
if ($InputVersion -match '^(\d{4})\.(\d+)$') {
return [PSCustomObject]@{
Year = [int]$matches[1]
Minor = [int]$matches[2]
}
}
return $null
}
$v = Parse-Version -InputVersion $Version
if (-not $v) {
Write-Result -State 'UNKNOWN' -Reason "Could not parse version '$Version'. Use forms like 2025.4 or 2026.1." -Code 2
}
if ($Deployment -eq 'OnPrem') {
# Authoritative fixed versions from CVE/OpenCVE/CERT-FR:
# 2025.2 Patch 1, 2025.3 Patch 1, 2025.4 Patch 1 are unaffected.
if ($v.Year -lt 2025) {
Write-Result -State 'VULNERABLE' -Reason 'On-prem version predates all listed fixed trains; treat as affected.' -Code 1
}
if ($v.Year -gt 2025) {
Write-Result -State 'PATCHED' -Reason 'On-prem version is newer than the listed vulnerable trains.' -Code 0
}
switch ($v.Minor) {
2 {
if ($Patch -ge 1) { Write-Result -State 'PATCHED' -Reason '2025.2 Patch 1 or later is fixed.' -Code 0 }
else { Write-Result -State 'VULNERABLE' -Reason '2025.2 before Patch 1 is affected.' -Code 1 }
}
3 {
if ($Patch -ge 1) { Write-Result -State 'PATCHED' -Reason '2025.3 Patch 1 or later is fixed.' -Code 0 }
else { Write-Result -State 'VULNERABLE' -Reason '2025.3 before Patch 1 is affected.' -Code 1 }
}
4 {
if ($Patch -ge 1) { Write-Result -State 'PATCHED' -Reason '2025.4 Patch 1 or later is fixed.' -Code 0 }
else { Write-Result -State 'VULNERABLE' -Reason '2025.4 before Patch 1 is affected.' -Code 1 }
}
default {
if ($v.Minor -lt 2) {
Write-Result -State 'VULNERABLE' -Reason '2025.x earlier than 2025.2 is older than all fixed on-prem trains; treat as affected.' -Code 1
}
else {
Write-Result -State 'PATCHED' -Reason '2025.x newer than 2025.4 is not in the listed affected trains.' -Code 0
}
}
}
}
elseif ($Deployment -eq 'Cloud') {
# Authoritative unaffected cloud builds:
# 2026.1 Patch 9 and 2026.2 Patch 1
# Note: Ivanti says SaaS remediation was already deployed on 2026-05-24 and 2026-05-25.
if ($v.Year -lt 2026) {
Write-Result -State 'VULNERABLE' -Reason 'Cloud version predates all listed fixed trains; treat as affected unless vendor confirms tenant remediation.' -Code 1
}
if ($v.Year -gt 2026) {
Write-Result -State 'PATCHED' -Reason 'Cloud version is newer than the listed vulnerable trains.' -Code 0
}
switch ($v.Minor) {
1 {
if ($Patch -ge 9) { Write-Result -State 'PATCHED' -Reason '2026.1 Patch 9 or later is fixed.' -Code 0 }
else { Write-Result -State 'VULNERABLE' -Reason '2026.1 before Patch 9 is affected.' -Code 1 }
}
2 {
if ($Patch -ge 1) { Write-Result -State 'PATCHED' -Reason '2026.2 Patch 1 or later is fixed.' -Code 0 }
else { Write-Result -State 'VULNERABLE' -Reason '2026.2 before Patch 1 is affected.' -Code 1 }
}
default {
Write-Result -State 'UNKNOWN' -Reason 'Cloud train not explicitly covered by reviewed advisory data; verify with Ivanti tenant release notes.' -Code 2
}
}
}
else {
Write-Result -State 'UNKNOWN' -Reason 'Unsupported deployment type.' -Code 2
}
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning: split the estate in two. First, confirm whether each instance is SaaS or on-prem; if it is SaaS, document Ivanti’s May 24–25, 2026 service remediation and close it out after tenant verification. If it is on-prem, inventory versions immediately, prune unnecessary user access, and add detections for role/permission abuse; for a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window, so your noisgate remediation SLA is to get vulnerable on-prem builds onto the fixed patch trains no later than 2027-06-01. I would still target a normal quarterly change window, not let this age for a year, because authenticated admin inside ITSM can become an operations problem fast.
Sources
- Ivanti blog: June 2026 Ivanti Neurons for ITSM Security Update
- NVD record for CVE-2026-9614
- OpenCVE detail page with affected/fixed versions and EPSS
- CERT-FR advisory for Ivanti products
- CERT Santé summary for CVE-2026-9614
- Canadian Centre for Cyber Security advisory AV26-533
- CISA Known Exploited Vulnerabilities Catalog
- runZero asset-finding guidance for Ivanti Neurons for ITSM
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.