cbcvebase.
CVE-2025-22462
published 2025-05-13

CVE-2025-22462: An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.87%
76.7th percentile
An authentication bypass in Ivanti Neurons for ITSM (on-prem only) before 2023.4, 2024.2 and 2024.3 with the May 2025 Security Patch allows a remote unauthenticated attacker to gain administrative access to the system.

Affected

4 ranges
VendorProductVersion rangeFixed in
ivantineurons_for_itsm< 2023.42023.4
ivantineurons_for_itsm
ivantineurons_for_itsm
ivantineurons_for_itsm

Detection & IOCsextracted from sources · hover to see the quote

  • Target product is Ivanti Neurons for ITSM on-premises only; cloud/SaaS instances are not affected. Focus detection on on-prem deployments running versions 2023.4, 2024.2, or 2024.3 without the May 2025 Security Patch.
  • Monitor for unauthenticated requests that result in administrative access or privilege escalation on the Ivanti Neurons for ITSM IIS web application. Anomalous admin-level activity from unauthenticated or unexpected source IPs is a key indicator.
  • Restrict IIS website access to a limited set of known IP addresses and domain names as a compensating control; alert on access attempts from IPs outside the allowlist.
  • For externally accessible deployments, verify DMZ configuration is in place. Detect exposure of the ITSM solution directly to the internet without DMZ as a high-risk configuration indicator.
  • ·Only on-premises deployments are affected. Ivanti Neurons for ITSM cloud/SaaS instances are not vulnerable.
  • ·Risk is reduced (but not eliminated) for deployments where IIS access is restricted to a limited set of IPs/domains per Ivanti hardening guidance.
  • ·Risk is also reduced for externally-accessible deployments that are properly configured with a DMZ.
  • ·As of disclosure, Ivanti found no evidence of active exploitation in the wild.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.