MDR
Solutions
Partners
About
Resources
Ivanti Secure Access Client (Windows), Ivanti Xtraction, Ivanti Virtual Traffic Manager, and Ivanti Endpoint Manager deployed in enterprise environments.
Seven CVEs ranging from improper permission assignment and race conditions to SQL injection and OS command injection vulnerabilities.
Disclosed 12–13 May 2026; no active exploitation confirmed; patches available for all affected products.
Local client access (Secure Access Client), remote web directory (Xtraction), admin-accessible vTM interface, and EPM web console.
Incorrect permission assignment, race condition, external file name control, OS command injection, dangerous method exposure, and SQL injection flaws.
Authenticated local or remote attackers exploit weak permissions, inject commands, or query vulnerable web interfaces to escalate and execute code.
Exploitation enables privilege escalation, RCE, credential leakage, file manipulation, and unauthorised persistent access to enterprise systems.
High risk to large/medium government and business entities; Ivanti products are widely deployed in enterprise VPN and endpoint management.
Update Ivanti Secure Access Client to 22.8R6, Xtraction to 2026.2, vTM to 22.9r4, and EPM to 2024 SU6 immediately.
Apply patches promptly, enforce least privilege, segment networks, enable anti-exploitation features, and conduct vulnerability scanning.
Ivanti May 2026 Security Advisories covering Secure Access Client, Xtraction, Virtual Traffic Manager, and Endpoint Manager. CVEs: CVE-2026-7431, CVE-2026-7432, CVE-2026-8043, CVE-2026-8051, CVE-2026-8109, CVE-2026-8110, CVE-2026-8111.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)