Ivanti has patched two medium-severity vulnerabilities in its Neurons for ITSM product that affect both on-premises and cloud deployments. The first flaw could allow authenticated attackers to retain access even after their accounts are disabled, while the second is a cross-site scripting vulnerability that could leak limited session information. Cloud customers were automatically updated on December 12th, but on-premises users are urged to upgrade to version 2025.4 immediately, though Ivanti says there's no evidence of active exploitation.