CVE-2026-9614
📛 CVE Title
CVE-2026-9614
Description
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 8.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Effective score
- 8.8 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-284 - Reserved
- 2026-05-26
- Published
- 2026-06-01 17:50 UTC
- Last updated
- 2026-06-02 03:56 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/9xxx/CVE-2026-9614.json
- Linked Threat
- CVE-2026-9614 — CVE-2026-9614
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- EPSS score
- 0.0067 (probability of exploitation in next 30 days)
- EPSS percentile
- 47.03% vs all CVEs — higher = more likely to be exploited, as of 2026-06-18
NVD / KEV / EPSS data refreshed 2026-06-19 11:34 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
Affected products (2)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Neurons for ITSM (On-Premises) |
2025.4 Patch 1 (unaffected),
2025.3 Patch 1 (unaffected),
2025.2 Patch 1 (unaffected)
|
— |
| Ivanti | Neurons for ITSM (Cloud) |
2026.1 Patch 9 (unaffected),
2026.2 Patch 1 (unaffected)
|
— |
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:app.opencve.io
Remediation No vendor fix or workaround currently provided. OpenCVE Recommended Actions Apply the Ivanti vendor‑issued patch or upgrade to a fixed version as detailed in the official advisory Configure identity and access management to enforce least‑privilege and explicitly deny administrative access to untrusted users
2026-06-08 15:19 UTC -
web:blogs.oracle.com
For more information about the Critical Patch Update program, see the security vulnerability remediation practices page located on the Oracle Trust Center.
2026-06-08 15:19 UTC -
web:cve.akaoma.com
Protect Your Infrastructure against CVE-2026-9614 : Combat Critical CVE Threats Stay updated with real-time CVE vulnerabilities and take action to secure your systems. Enhance your cybersecurity posture with the latest threat intelligence and mitigation techniques. Develop the skills necessary to defend against CVEs and secure critical infrastructures. Join the top cybersecurity professionals ...
2026-06-08 15:19 UTC -
web:cvefeed.io
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access.
2026-06-08 15:19 UTC -
web:cyberpress.org
Ivanti has disclosed a high-severity improper access control vulnerability CVE-2026-9614 in its Neurons for ITSM platform, affecting both cloud and on-premises deployments.
2026-06-08 15:19 UTC -
web:cybersecuritynews.com
An Ivanti Neurons for ITSM flaw could let authenticated attackers escalate privileges and gain full admin access.
2026-06-08 15:19 UTC -
web:github.com
GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.
2026-06-08 15:19 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-06-08 15:19 UTC -
web:securityvulnerability.io
What is CVE-2026-9614 ? An improper access control vulnerability in Ivanti Neurons for ITSM, both in cloud and on-premises implementations, enables a remote authenticated attacker to potentially gain unauthorized administrative access. This flaw underscores the importance of enforcing strict access controls to safeguard sensitive operations and enhance security posture for IT environments.
2026-06-08 15:19 UTC -
web:www.oracle.com
This Critical Patch Update contains 481 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2026 Critical Patch Update: Executive Summary and Analysis.
2026-06-08 15:19 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (4)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614 tenable:hub.ivanti.com
- https://nvd.nist.gov/vuln/detail/CVE-2026-9614 tenable:nvd.nist.gov
- https://www.cve.org/CVERecord?id=CVE-2026-9614 tenable:www.cve.org
- https://www.first.org/epss/ tenable:www.first.org
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-9614.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9614",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T03:56:03.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Neurons for ITSM (On-Premises)",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2025.4 Patch 1",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025.3 Patch 1",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2025.2 Patch 1",
"versionType": "custom"
}
]
},
{
"defaultStatus": "affected",
"product": "Neurons for ITSM (Cloud)",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2026.1 Patch 9",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2026.2 Patch 1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote authenticated attacker to gain administrative access. "
}
],
"value": "An Improper Access Control vulnerability in Ivanti\u00a0Neurons for\u00a0ITSM\u00a0(cloud and\u00a0on-premises)\u00a0allows a remote authenticated attacker to gain administrative access."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T17:50:03.264Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2026-9614",
"datePublished": "2026-06-01T17:50:03.264Z",
"dateReserved": "2026-05-26T16:30:29.761Z",
"dateUpdated": "2026-06-02T03:56:03.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}