Ivanti Patches Critical Vulnerabilities in Secure Access &

Ivanti has released its May 2026 Patch Tuesday security updates, disclosing vulnerabilities across four products. Significantly, the company also revealed that artificial intelligence tools are already aiding its engineers in uncovering flaws that traditional scanners often miss. This AI-driven discovery, Ivanti cautioned, is expected to accelerate future disclosure volumes.

Ivanti Patches Multiple Vulnerabilities

The company addressed vulnerabilities in four distinct products on May 13, 2026:

• Ivanti Secure Access Client — CVE-2026-7431 and CVE-2026-7432
• Ivanti Xtraction — CVE-2026-8043
• Ivanti Virtual Traffic Manager (vTM) — CVE-2026-8051
• Ivanti Endpoint Manager (EPM) — CVE-2026-8109, CVE-2026-8110, CVE-2026-811

Ivanti confirmed that none of these vulnerabilities have been exploited in the wild and that they do not affect any other Ivanti solutions.

Ivanti Secure Access Client

CVE-2026-7431 — Sensitive Log Data Exposure

A flaw in Ivanti Secure Access Client before 22.8R6 stems from incorrect permission assignment (CWE-732) on a shared memory section.

A local authenticated attacker can read or modify sensitive log data. The attack is local-only and requires no user interaction, limiting its blast radius but posing a real risk in multi-user or shared endpoint environments.

CVE-2026-7432 Local Privilege Escalation to SYSTEM

A race condition (CWE-362) in Ivanti Secure Access Client before 22.8R6 lets a locally authenticated attacker win a timing window to escalate privileges to SYSTEM.

With full confidentiality, integrity, and availability impact, this is a classic LPE flaw that threat actors frequently chain with initial access exploits to achieve full machine takeover.

Ivanti Xtraction

CVE-2026-8043 — Path Traversal & Arbitrary File Write

The most severe vulnerability in this advisory batch affects Ivanti Xtraction before version 2026.2.

Classified under CWE-22 (Path Traversal) and CWE-73 (External Control of File Name), a remote authenticated attacker can read sensitive server-side files and write arbitrary HTML to the web directory, enabling stored cross-site scripting or web shell staging.

Ivanti Virtual Traffic Manager (vTM)

CVE-2026-8051 — OS Command Injection

An OS command injection flaw (CWE-78) in the Ivanti Virtual Traffic Manager before 22.9r4 admin interface.

A remote attacker with admin credentials can inject OS-level commands to achieve full remote code execution on the appliance.

While admin privileges are required (PR: H), vTM sits at a critical network chokepoint, making compromise of this device catastrophic for traffic routing and inspection.

Ivanti Endpoint Manager

CVE-2026-8109 — Credential Leakage

An exposed dangerous method (CWE-749) on the Ivanti Endpoint Manager Core Server before 2024 SU6 allows a remote authenticated attacker to exfiltrate access credentials from the server.

With a high confidentiality impact and no integrity or availability effect, this is a credential harvesting vector that could enable lateral movement or privilege escalation across managed endpoints.

CVE-2026-8110 — Agent Privilege Escalation

Incorrect permissions assignment (CWE-732) in the Ivanti EPM agent before 2024 SU6 allows a local authenticated attacker to escalate privileges on the endpoint.

Mirroring CVE-2026-7432 in attack pattern, this flaw is particularly dangerous in enterprise environments where EPM agents are deployed broadly across thousands of managed devices.

CVE-2026-8111 — SQL Injection Leading to RCE

A SQL injection vulnerability (CWE-89) in the Ivanti EPM web console before 2024 SU6 allows any remote authenticated attacker to achieve remote code execution — no admin rights required (PR:L).

This is the most dangerous network-facing EPM flaw in the batch; SQL injection-to-RCE chains in web consoles are well-documented, easy to weaponize, and frequently targeted by ransomware operators and nation-state actors alike.

Ivanti disclosed that its security team has integrated multiple large language models (LLMs) into its Engineering and Product Security Red Team workflows in recent months.

According to the company, these AI tools are proving effective at identifying vulnerability classes that traditional static and dynamic analysis tools, SAST and DAST, routinely miss.

Ivanti confirmed that several of the vulnerabilities disclosed today were discovered directly through AI-assisted review rather than conventional tooling.

The company acknowledged a pointed reality facing the entire industry: AI is compressing the time-to-exploit. Threat actors are leveraging automation and machine learning to weaponize newly disclosed flaws faster than ever before.

Ivanti’s answer is to use the same technology category offensively within its own red teams, finding and fixing issues before attackers can weaponize them.

Security teams running any of the four affected products should prioritize patching immediately, even in the absence of active exploitation.

Given Ivanti’s history as a high-value target for nation-state and ransomware threat actors, unpatched instances carry outsized risk.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.