On May 13, 2025, Ivanti published a critical security advisory covering CVE-2025-22462, an authentication bypass in Ivanti Neurons for ITSM (formerly HEAT Service Management). The CVSS v3.1 base score is 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation gives an unauthenticated remote attacker full administrative access to the ITSM platform — which in most organizations is also the SCCM/Intune integration broker, the asset-management database, the helpdesk request workflow, and the change-management approval chain. Ivanti's ITSM CVE pattern over the past year (CVE-2024-7593, CVE-2024-9381, and now CVE-2025-22462) tells a clear story: identity and access-control bugs in business-critical SaaS-on-prem platforms are now ransomware's preferred entry point because they sidestep the perimeter entirely.
What does the vendor advisory say?
Ivanti's advisory describes CVE-2025-22462 as an improper authentication issue in the Neurons for ITSM web application. The flaw is in the session-token validation code path that the vendor declines to detail beyond confirming that a remote unauthenticated attacker can craft a request that bypasses the login flow and reaches admin-only endpoints. The advisory rates the issue critical and assigns it the highest severity tag in Ivanti's PSIRT taxonomy. Importantly, the advisory clarifies that all on-premises customer deployments are affected; Ivanti's hosted (cloud-managed) Neurons for ITSM instances were patched server-side between May 8 and May 13, 2025 and require no customer action. The vendor recommends customers verify they are running the May 2025 security patches for versions 2023.4, 2024.2, and 2024.3.
Which versions are affected and which are patched?
CVE-2025-22462 affects all on-prem Ivanti Neurons for ITSM instances prior to the May 2025 security patches for:
- Ivanti Neurons for ITSM 2023.4 — apply May 2025 Hotfix (build 2023.4.0.5)
- Ivanti Neurons for ITSM 2024.2 — apply May 2025 Hotfix (build 2024.2.0.3)
- Ivanti Neurons for ITSM 2024.3 — apply May 2025 Hotfix (build 2024.3.0.2)
Earlier versions (2023.3 and prior) reached end-of-mainstream-support before the advisory; Ivanti's guidance is to migrate to 2024.3 minimum. Verify the running version through the Neurons for ITSM admin console under Help > About or via the _appVersion field in the IVTSettings database table. For organizations running Neurons in a multi-tenant on-prem topology, each tenant database must be confirmed individually.
Ivanti's May 13 release also covered three related vulnerabilities in the same product:
- CVE-2025-22458 — session fixation (CVSS 6.5)
- CVE-2025-22459 — server-side request forgery (CVSS 7.7)
- CVE-2025-22461 — privilege escalation (CVSS 8.8)
Apply the cumulative hotfix; do not cherry-pick individual binaries.
Is it in CISA KEV and what is the EPSS score?
CVE-2025-22462 is not currently in CISA KEV. EPSS at publication was 0.21, climbing to 0.48 over the following 30 days as researchers published proof-of-concept tooling. The Ivanti-product KEV pattern from 2024 (CVE-2024-21887 entered KEV within 14 days; CVE-2025-0282 within 7 days) suggests CVE-2025-22462 is highly likely to be added if exploitation is confirmed against U.S. federal targets. The defender argument for treating this CVE as KEV-eligible regardless of current listing is the same as for SolarWinds, ManageEngine, and SAP: ITSM platforms are deeply integrated into asset, identity, and change-management infrastructure, so compromise here cascades into multiple downstream systems.
How do you find vulnerable instances in your SBOM?
Ivanti Neurons for ITSM is normally a single-instance, on-prem Windows installation. Track it in the asset graph as a tier-0 system. Safeguard saved query:
# Identify Ivanti Neurons for ITSM instances on pre-fix builds
safeguard scan --cve CVE-2025-22462 --product ivanti-neurons-itsm
# Show instances reachable from untrusted networks
safeguard assets list \
--filter "vendor=ivanti AND product=neurons-itsm AND exposure!=internal-only" \
--include-cve CVE-2025-22462
For shops without an Ivanti-specific SBOM connector, the lightest enumeration is a PowerShell remoting loop against suspected hosts that queries Get-ItemProperty 'HKLM:\SOFTWARE\Ivanti\Neurons for ITSM'. Cross-reference against the CMDB to capture any DR-site and staging instances that the asset team often forgets.
What is the recommended patch rollout?
Ivanti's recommended sequence:
- Snapshot the SQL Server database backing Neurons for ITSM (full backup + transaction log backup).
- Snapshot the application server (VM-level snapshot if virtualized).
- Stop the Ivanti Neurons services:
Stop-Service Heat*from elevated PowerShell. - Download the hotfix bundle from
forums.ivanti.com(customer portal). - Run the installer with administrative privileges; the upgrade is in-place and preserves configuration.
- Restart services:
Start-Service Heat*. - Verify the version through the admin console.
- Reset all administrator credentials and audit recent login activity for anomalous source IPs during the exposure window.
- Rotate any API keys or service-account tokens that Neurons for ITSM exchanges with downstream systems (SCCM, Intune, Active Directory, the corporate change-management portal).
For multi-instance deployments (separate prod, staging, DR), upgrade staging first to validate the upgrade does not break customizations, then prod, then DR. Allow 60–90 minutes per instance for the upgrade and post-flight verification.
Compensating controls while patching: place the Neurons for ITSM web server behind an IP allowlist at the network layer (corporate VPN, jump-host source IPs only) until the patch is applied. Disable the external-facing self-service portal if business need permits. Force-rotate all administrator credentials immediately because the auth bypass is in the login path; pre-rotation gives the patch a clean baseline.
What detections does the vendor or CISA publish?
Ivanti's advisory recommends scanning the Neurons for ITSM web server access log for anomalous request patterns to admin endpoints. The vendor published a list of suspicious URI patterns and a Sigma detection through the Ivanti Customer Portal (under PSIRT-2025-005):
# Source: Ivanti PSIRT-2025-005, 2025-05-13
title: Ivanti Neurons for ITSM Unauthenticated Admin Endpoint Access
status: stable
logsource:
product: iis
service: w3svc
detection:
selection:
cs-uri-stem|contains:
- '/api/admin/'
- '/api/configuration/'
- '/api/identity/'
sc-status:
- 200
- 201
- 204
filter_legit_auth:
cs(Authorization)|exists: true
condition: selection AND NOT filter_legit_auth
fields:
- c-ip
- cs-method
- cs-uri-stem
- cs-User-Agent
- sc-status
level: high
Microsoft Defender for Cloud Apps and Sentinel both ship analytic rules for the access pattern within their May 2025 content updates. For SOCs without those tools, ingest the Neurons for ITSM IIS logs directly into the SIEM and run the Sigma rule against the historical window covering at least 30 days back.
How Safeguard Helps
Safeguard ingests Ivanti Neurons for ITSM installation manifests from every Windows server registered through the endpoint-management integration, matching versions against the fixed-build table for CVE-2025-22462 and the related May 2025 advisories. Policy gates fail change-management promotions of Neurons for ITSM hosts below the May 2025 hotfix, and a built-in compliance check verifies that administrator credentials have been rotated post-patch. Griffin AI scores ITSM installations by integration blast radius — counting the distinct downstream systems (SCCM, Intune, AD, ServiceNow integrations) the platform writes to, surfacing the highest-impact installations first. VEX statements from Ivanti are auto-ingested for hosted Neurons instances (which were patched server-side and require no customer action), preventing dashboard noise for SaaS-only deployments. The ServiceNow connector files a per-instance change ticket with the hotfix installer hash, the IIS log Sigma rule for post-flight verification, and a credential-rotation checklist attached as evidence — closing the loop between SBOM detection and verified ITSM platform fix.