Ivanti Neurons for ITSM Patches CVE-2024-45504 and CVE-2024-45505

Ivanti has released security updates for its Neurons for ITSM (IT Service Management) platform to address two high-severity vulnerabilities. These flaws could potentially allow unauthorized persistence and data exposure, highlighting a significant risk to organizations relying on Ivanti for automated service desk operations. According to SecurityWeek, the vulnerabilities impact both cloud and on-premises deployments, necessitating urgent attention from security administrators.

Overview of Ivanti Neurons for ITSM Security Risks

The CVE vulnerabilities identified involve improper authentication management and flawed access controls. While Ivanti has been a frequent target for APT groups in recent months, there is currently no evidence of these specific vulnerabilities being exploited in the wild as Zero-Day threats. However, given the criticality of ITSM systems—which often hold extensive data on internal infrastructure, user identities, and system configurations—the potential for exploitation is high.

Organizations use Ivanti Neurons for ITSM to streamline help desk workflows and asset management. Because these systems often integrate deeply with active directory and internal ticketing, a compromise here can facilitate Lateral Movement or serve as a jumping-off point for broader network infiltration. The CVSS scores for these issues reflect the high impact on confidentiality and integrity.

Technical Analysis: CVE-2024-45504 and CVE-2024-45505

Ivanti Neurons for ITSM authentication bypass vulnerability

The first vulnerability, CVE-2024-45504, has a CVSS score of 8.1. It is characterized as an “Improper Restriction of Excessive Authentication Attempts” flaw. In a standard security model, once a user account is disabled, all active sessions and subsequent login attempts should be invalidated. However, this vulnerability allows a remote attacker who has already gained access to maintain that access even after their account has been officially disabled.

This effectively acts as a persistence mechanism. If a SOC identifies a compromised account and disables it, the attacker could theoretically remain within the environment if the patch has not been applied. This undermines the standard incident response procedure of account revocation and highlights why understanding how to patch CVE-2024-45504 and CVE-2024-45505 is essential for maintaining a Zero Trust architecture.

Exploiting Improper Access Control in ITSM Environments

The second vulnerability, CVE-2024-45505, carries a CVSS score of 7.1. This is an “Improper Access Control” issue. It allows an authenticated remote attacker to access information belonging to other user sessions. While the attacker must already be authenticated to the system, the ability to access data between sessions allows for significant information disclosure.

In practice, an attacker could harvest session tokens, personal identifiable information (PII), or technical metadata about the infrastructure that they are not authorized to view. This type of flaw is particularly dangerous in multi-tenant environments or large enterprises where different departments might have segregated data within the same ITSM instance.

Impact and Exploitation Scenarios

The lack of proper session isolation means that an attacker with low-level privileges could achieve Privilege Escalation by capturing data from higher-privileged users. If an administrator is logged into the system at the same time as an attacker, the attacker might leverage CVE-2024-45505 to extract administrative session data.

Furthermore, the Ivanti Neurons for ITSM version 2023.4 security update is critical because the persistence provided by CVE-2024-45504 allows attackers to survive eviction attempts. Traditional EDR solutions might monitor for suspicious processes on the host, but if the attacker’s presence is rooted in a legitimate but “undead” web session within the ITSM platform, detection becomes significantly more difficult without specific SIEM logging for application-level session activity.

Mitigation and Patch Guidance

Ivanti has confirmed that these vulnerabilities affect version 2023.4, 2023.3, and all earlier versions of the Neurons for ITSM platform. To secure the environment, defenders must prioritize the upgrade to version 2024.1. For organizations unable to perform a full version upgrade immediately, Ivanti has provided specific hotfixes.

Defenders should verify their current versioning and ensure that the Ivanti Neurons for ITSM authentication bypass vulnerability is mitigated by applying the following steps:

• Audit all active sessions and force a global logout after patching to ensure any existing sessions are re-authenticated.
• Review audit logs for unusual access patterns, particularly from accounts that were recently disabled or scheduled for decommissioning.
• Implement strict session timeouts and multi-factor authentication to add layers of defense against session-based exploits.

By addressing these flaws, organizations can prevent unauthorized persistence and protect the sensitive operational data contained within their ITSM platforms.