Ivanti ITSM Flaw Could Allow Attackers to Escalate to Admin Access

Ivanti released patches for CVE-2026-9614, an improper access control vulnerability in Ivanti Neurons for ITSM that allows low-privileged authenticated attackers to escalate to full administrative access (CVSS 8.8). The flaw affects cloud and on‑premises versions; on‑premises patches and cloud service updates have been issued and applied between May 24–25, 2026. Ivanti reports no evidence of active exploitation, but organizations are advised to apply patches, restrict ITSM access, and monitor for misuse of privileged accounts.