Ivanti Patches RCE and Privilege Escalation Flaws in Secure Access Client and vTM
Ivanti released security updates for two enterprise products, fixing multiple vulnerabilities in Ivanti Secure Access Client for Windows and Ivanti Virtual Traffic Manager (vTM). In Secure Access Client, version 22.8R6 addresses CVE-2026-7431, an incorrect permissions issue that could let a local authenticated user read or modify sensitive log data; CVE-2026-7432, a race condition that could allow local privilege escalation to SYSTEM; and **CVE-2026-8992, an improper certificate validation flaw that could enable remote unauthenticated code execution. Ivanti said affected Secure Access Client versions are 22.8R5and earlier and advised customers to upgrade to22.8R6`.
Ivanti also patched CVE-2026-8051 in Ivanti Virtual Traffic Manager, a high-severity CWE-78 OS command injection vulnerability with a CVSS score of 7.2 that could allow a remote authenticated administrator to achieve remote code execution. The flaw affects vTM 22.9r3 and earlier and is fixed in 22.9r4. Ivanti said it was not aware of customer exploitation of any of the disclosed issues before publication and said the vulnerabilities were reported through its responsible disclosure program, crediting William Söderberg of Reversec for the vTM finding.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Ivanti patches Ivanti Virtual Traffic Manager flaw CVE-2026-8051
Ivanti disclosed CVE-2026-8051, a high-severity OS command injection vulnerability in Ivanti Virtual Traffic Manager 22.9r3 and earlier that could allow an authenticated administrator to achieve remote code execution. The company released version 22.9r4 as the fix and said it had no evidence of exploitation prior to public disclosure.
Ivanti releases Secure Access Client 22.8R6 to fix three vulnerabilities
Ivanti disclosed three vulnerabilities affecting Ivanti Secure Access Client for Windows 22.8R5 and earlier and released version 22.8R6 to remediate them. The issues include CVE-2026-7431, CVE-2026-7432, and CVE-2026-8992, with Ivanti stating it was not aware of customer exploitation before disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
May 2026 Security Advisory Ivanti Secure Access Client (CVE-2026-7431, CVE-2026-7432)
forums.ivanti.com
Open sourceMay 2026 Security Advisory Ivanti Secure Access Client (CVE-2026-7431, CVE-2026-7432)
hub.ivanti.com
Open sourceMay 2026 Security Advisory Ivanti Virtual Traffic Manager (vTM) (CVE-2026-8051)
forums.ivanti.com
Open sourceMay 2026 Security Advisory Ivanti Virtual Traffic Manager (vTM) (CVE-2026-8051)
hub.ivanti.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ivanti Patches Multiple Flaws in Endpoint Manager, Xtraction, vTM and Secure Access
Ivanti released security updates for multiple products, including **Endpoint Manager (EPM)**, **Xtraction**, **Virtual Traffic Manager (vTM)**, and **Secure Access Client for Windows**, prompting government cyber agencies in Canada and Belgium to urge immediate patching. The advisories cover several vulnerabilities, including `CVE-2026-8043` in Xtraction, `CVE-2026-8051` in vTM, `CVE-2026-7431` and `CVE-2026-7432` in Secure Access Client, and multiple issues in EPM. Reported impacts across the product set include local privilege escalation, sensitive data exposure, path traversal with arbitrary file write, OS command injection, credential leakage, and SQL injection that could lead to remote code execution.
May 14, 2026
Ivanti patches multiple Connect Secure and ZTA flaws enabling DoS and file read
Ivanti released security updates for **Ivanti Connect Secure**, **Policy Secure**, **ZTA Gateway**, and **Neurons for Secure Access** to fix four vulnerabilities, including two high-severity remote unauthenticated denial-of-service flaws tracked as `CVE-2025-5456` and `CVE-2025-5462`. The bugs stem from memory-safety weaknesses including a buffer over-read and a heap-based buffer overflow that can be triggered through crafted network input, potentially crashing appliances that provide VPN, zero-trust, and access-control services. Ivanti said cloud instances of Neurons for Secure Access were remediated by **August 2, 2025**, while on-premises customers must apply the fixed releases. The same advisory also addressed `CVE-2025-5466`, an authenticated administrator **XXE** issue that can cause denial of service, and `CVE-2025-5468`, a symbolic link handling flaw that could let a local authenticated attacker read arbitrary files. Ivanti said it had no evidence of customer exploitation before disclosure and that the issues were found through internal assessments and responsible disclosure, but the breadth of affected products increases operational risk for enterprises relying on Ivanti remote access infrastructure. The company also noted that **Pulse Connect Secure 9.x** no longer receives backported fixes because it has reached end of support.
Jun 12, 2026
Ivanti and ConnectWise Patch Actively Exploited and Critical Enterprise Management Flaws
Ivanti released fixes for a newly disclosed high-severity flaw in its on-premises Endpoint Manager Mobile (**EPMM**) platform, tracked as `CVE-2026-6973`, after confirming limited zero-day exploitation. The vulnerability is caused by improper input validation and can lead to arbitrary code execution when a remote attacker already has administrator-level access. Ivanti said the issue affects EPMM `12.8.0.0` and earlier and issued patched versions `12.6.1.1`, `12.7.0.1`, and `12.8.0.1`, while urging customers to review privileged accounts and rotate credentials. The disclosure adds to a longer pattern of Ivanti security incidents: CISA previously warned that `CVE-2023-35082`, a critical authentication bypass flaw in Ivanti EPMM and MobileIron Core, was being actively exploited to gain unauthenticated API access, expose user data, and potentially backdoor servers when chained with other vulnerabilities. ConnectWise also disclosed a critical vulnerability in **ConnectWise Automate**, tracked as `CVE-2026-9089`, affecting versions prior to `2026.5`. The flaw, classified as `CWE-494`, stems from insufficient integrity verification during plugin loading and self-update operations and could allow malicious code execution on client machines during agent updates under specific network conditions. ConnectWise assigned the issue a CVSS score of **8.8**, automatically updated cloud deployments, and instructed on-premises customers to manually upgrade to version `2026.5`; Canada’s Cyber Centre separately urged administrators to apply the vendor update. The disclosures highlight continued risk across widely deployed enterprise management platforms, with internet exposure data showing hundreds of Ivanti EPMM systems and broad operational dependence on remote monitoring and mobile device management software.
May 25, 2026