Ivanti has issued urgent security updates for its Neurons for ITSM IT service management solution, addressing a critical authentication bypass vulnerability (CVE-2024-7569) that could allow unauthenticated attackers to compromise systems. The flaw, rated CVSS 9.6, enables threat actors to obtain OIDC client secrets through debug information exposure1. A second related vulnerability (CVE-2024-7570, CVSS 8.3) permits MITM attackers to forge authentication tokens and gain unauthorized access as any user2.
Technical Analysis of the Vulnerabilities
The CVE-2024-7569 vulnerability stems from improper handling of debug information in the OIDC implementation. Attackers can send crafted requests to endpoints that inadvertently expose client secrets in debug responses. These secrets can then be used to generate valid authentication tokens. CVE-2024-7570 occurs when attackers intercept and modify OAuth token exchange communications due to insufficient validation of token signatures.
Affected versions include all on-premises Neurons for ITSM deployments and cloud instances running versions 2023.4 or earlier. Ivanti has released patches for versions 2023.2 through 2023.4, with cloud instances receiving automatic updates by August 4, 20243.
Exploitation Potential and Detection
The authentication bypass vulnerabilities are particularly dangerous as they require no prior authentication and leave no immediate traces in standard logs. Security teams should monitor for:
- Unusual authentication patterns from unexpected IP addresses
- Multiple failed OAuth token validation attempts followed by successful authentications
- Requests to debug endpoints containing client secret parameters
Network traffic analysis can reveal exploitation attempts through abnormal sequences of OAuth token exchange requests. The Ivanti Knowledge Base provides specific log entries to monitor for detection1.
Mitigation and Patch Guidance
Organizations using affected versions should immediately apply the available patches. For systems that cannot be immediately updated, temporary mitigations include:
| Mitigation | Implementation |
|---|---|
| Disable debug endpoints | Modify configuration files to disable OIDC debug mode |
| Restrict network access | Limit ITSM interface access to trusted IP ranges |
| Enhanced monitoring | Implement alerts for OAuth token generation anomalies |
Ivanti recommends verifying that no unauthorized accounts have been created post-patching and reviewing all authentication logs for signs of compromise4.
Broader Ivanti Vulnerability Context
This authentication bypass flaw follows a series of critical vulnerabilities in Ivanti products throughout 2024-2025. Notably, the Virtual Traffic Manager (CVE-2024-7593) and Connect Secure (CVE-2024-22024) have seen active exploitation within days of disclosure5. The pattern of high-severity flaws across Ivanti’s product line underscores the importance of maintaining rigorous patch management processes for enterprise IT management systems.
Security teams should prioritize reviewing all Ivanti deployments, as multiple products have required emergency patches this year. The Neurons for ITSM vulnerabilities are particularly concerning given the product’s role in managing critical IT service workflows and its access to sensitive system credentials.
References
- “KB-CVE-2023-46805,” Ivanti Knowledge Base. [Online]. Available: https://forums.ivanti.com/s/article/KB-CVE-2023-46805
- “Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager,” SecurityWeek, 2024. [Online]. Available: https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-neurons-for-itsm-virtual-traffic-manager
- “Ivanti warns of critical vTM auth bypass with public exploit,” BleepingComputer, 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm-auth-bypass-with-public-exploit
- H-ISAC Vulnerability Bulletin, Feb. 9, 2024. [Online]. Available: https://www.aha.org/system/files/media/file/2024/02/h-isac-vulnerability-bulletin-2-9-2024.pdf
- “Security Alert: CVE-2025-0282 Stormshield Products Response,” Stormshield, 2025. [Online]. Available: https://www.stormshield.com/news/security-alert-cve-2025-0282-stormshield-products-response
