Ivanti Patches Multiple Flaws in Endpoint Manager, Xtraction, vTM and Secure Access
Ivanti released security updates for multiple products, including Endpoint Manager (EPM), Xtraction, Virtual Traffic Manager (vTM), and Secure Access Client for Windows, prompting government cyber agencies in Canada and Belgium to urge immediate patching. The advisories cover several vulnerabilities, including CVE-2026-8043 in Xtraction, CVE-2026-8051 in vTM, CVE-2026-7431 and CVE-2026-7432 in Secure Access Client, and multiple issues in EPM. Reported impacts across the product set include local privilege escalation, sensitive data exposure, path traversal with arbitrary file write, OS command injection, credential leakage, and SQL injection that could lead to remote code execution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Belgium CCB issues patch-now warning on Ivanti vulnerabilities
Belgium's Centre for Cybersecurity published a warning that Ivanti had released security updates for several affected products and urged immediate patching. The notice reinforced the urgency of applying Ivanti's May 2026 fixes.
dCERT warns about multiple Ivanti Endpoint Manager vulnerabilities
Germany's dCERT published advisory 2026-1472 warning about multiple vulnerabilities affecting Ivanti Endpoint Manager. The advisory followed Ivanti's May 2026 disclosures and patch release.
Canadian Centre for Cyber Security urges Ivanti customers to patch
The Canadian Centre for Cyber Security issued advisory AV26-450 highlighting Ivanti's May 12 security advisories and urging administrators to review them and apply updates. The notice specifically referenced affected Ivanti Xtraction, Endpoint Manager, Virtual Traffic Manager, and Secure Access Client products.
ZDI publishes advisory for Ivanti EPM credential disclosure flaw
Zero Day Initiative published advisory ZDI-26-308 for CVE-2026-8109, describing an information disclosure issue in Ivanti Endpoint Manager's RemoteControlAuth module. The advisory said remote attackers could disclose sensitive information, including stored credentials, and noted Ivanti had already released an update.
CVE-2026-8043 is publicly recorded for Ivanti Xtraction
CVE-2026-8043 was recorded publicly as an Ivanti Xtraction vulnerability affecting versions before 2026.2. The flaw allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files into a web directory, creating information disclosure and possible client-side attack risks.
Ivanti releases May 2026 security advisories and patches
Ivanti published May 2026 security advisories and updates for multiple products, including Endpoint Manager, Xtraction, Virtual Traffic Manager, and Secure Access Client for Windows. The advisories covered vulnerabilities such as CVE-2026-8043, CVE-2026-8051, CVE-2026-7431, CVE-2026-7432, and CVE-2026-8109, and Ivanti said none had been exploited in the wild.
ZDI privately reports Ivanti Endpoint Manager flaw to vendor
According to ZDI's coordinated disclosure timeline, a vulnerability in Ivanti Endpoint Manager's RemoteControlAuth module was reported to Ivanti. The flaw was later assigned CVE-2026-8109 and could expose sensitive information, including stored credentials, due to an authentication bypass condition.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Warning: Ivanti has released security updates to address vulnerabilities affecting several of its products, Patch Immediately! | CCB Belgium
ccb.belgium.be
Open sourcedCERT - Advisory 2026-1472 - Ivanti Endpoint Manager: Multiple Vulnerabilities
dcert.de
Open sourceIvanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
cybersecuritynews.com
Open sourceIvanti security advisory (AV26-450) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSecurity Advisory Ivanti Endpoint Manager (EPM) May 2026
hub.ivanti.com
Open sourceZDI-26-308 | Zero Day Initiative
zerodayinitiative.com
Open sourceCVE-2026-8043 - Ivanti Xtraction File Name Manipulation Vulnerability
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in **Ivanti Secure Access Client for Windows** and **Ivanti Virtual Traffic Manager (vTM)**. In Secure Access Client, version `22.8R6` addresses **CVE-2026-7431**, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; **CVE-2026-7432**, a race condition that could allow local privilege escalation to `SYSTEM`; and **CVE-2026-8992`, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are `22.8R5` and earlier and advised customers to upgrade to `22.8R6`. Ivanti also patched **CVE-2026-8051** in **Ivanti Virtual Traffic Manager**, a high-severity `CWE-78` OS command injection vulnerability with a CVSS score of `7.2` that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM `22.9r3` and earlier and is fixed in `22.9r4`. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
Jun 21, 2026
Ivanti and ConnectWise Patch Actively Exploited and Critical Enterprise Management Flaws
Ivanti released fixes for a newly disclosed high-severity flaw in its on-premises Endpoint Manager Mobile (**EPMM**) platform, tracked as `CVE-2026-6973`, after confirming limited zero-day exploitation. The vulnerability is caused by improper input validation and can lead to arbitrary code execution when a remote attacker already has administrator-level access. Ivanti said the issue affects EPMM `12.8.0.0` and earlier and issued patched versions `12.6.1.1`, `12.7.0.1`, and `12.8.0.1`, while urging customers to review privileged accounts and rotate credentials. The disclosure adds to a longer pattern of Ivanti security incidents: CISA previously warned that `CVE-2023-35082`, a critical authentication bypass flaw in Ivanti EPMM and MobileIron Core, was being actively exploited to gain unauthenticated API access, expose user data, and potentially backdoor servers when chained with other vulnerabilities. ConnectWise also disclosed a critical vulnerability in **ConnectWise Automate**, tracked as `CVE-2026-9089`, affecting versions prior to `2026.5`. The flaw, classified as `CWE-494`, stems from insufficient integrity verification during plugin loading and self-update operations and could allow malicious code execution on client machines during agent updates under specific network conditions. ConnectWise assigned the issue a CVSS score of **8.8**, automatically updated cloud deployments, and instructed on-premises customers to manually upgrade to version `2026.5`; Canada’s Cyber Centre separately urged administrators to apply the vendor update. The disclosures highlight continued risk across widely deployed enterprise management platforms, with internet exposure data showing hundreds of Ivanti EPMM systems and broad operational dependence on remote monitoring and mobile device management software.
May 25, 2026
Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for *Endpoint Manager (EPM)* to fix two vulnerabilities affecting **EPM 2024 SU4 SR1 and earlier**: **CVE-2026-1603** (CVSS 8.6) and **CVE-2026-1602** (CVSS 6.5). CVE-2026-1603 is an **authentication bypass** that can be exploited by a **remote, unauthenticated** attacker to access/leak specific **stored credential data**, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints. CVE-2026-1602 is a **SQL injection** issue that requires **authentication** and can allow a remote authenticated attacker to **read arbitrary data from the EPM database**, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is **EPM 2024 SU5**, and the update also addresses **11 medium-severity vulnerabilities** previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
Mar 21, 2026