Ivanti patches seven vulnerabilities across Secure Access, Xtraction, vTM, and Endpoint Manager

Ivanti has released its May 2026 security updates, fixing seven vulnerabilities across four enterprise products: Ivanti Secure Access Client, Ivanti Xtraction, Ivanti Virtual Traffic Manager, and Ivanti Endpoint Manager.

The most serious flaw is CVE-2026-8043, a Critical Ivanti Xtraction vulnerability that could allow a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory.

Ivanti says it has no evidence that any of the vulnerabilities were exploited in the wild when the advisories were published. The company also says the flaws do not affect other Ivanti products.

Ivanti May 2026 security update at a glance

Product	CVE	Severity	Main impact	Fixed version
Ivanti Secure Access Client	CVE-2026-7431	Medium	Read or modify sensitive log data	22.8R6 or later
Ivanti Secure Access Client	CVE-2026-7432	High	Local privilege escalation to SYSTEM	22.8R6 or later
Ivanti Xtraction	CVE-2026-8043	Critical	File read and arbitrary HTML write	2026.2 or later
Ivanti Virtual Traffic Manager	CVE-2026-8051	High	Remote code execution with admin access	22.9r4 or later
Ivanti Endpoint Manager	CVE-2026-8109	Medium	Credential leakage	2024 SU6 or later
Ivanti Endpoint Manager	CVE-2026-8110	High	Local privilege escalation	2024 SU6 or later
Ivanti Endpoint Manager	CVE-2026-8111	High	Remote code execution through SQL injection	2024 SU6 or later

Critical Ivanti Xtraction flaw leads the update

CVE-2026-8043 is the highest-risk issue in this release. It affects Ivanti Xtraction before version 2026.2 and carries a Critical severity rating.

The flaw involves external control of a file name or path. A remote authenticated attacker could exploit it to read sensitive files from the server and write arbitrary HTML files to a web directory.

That combination creates two risks. The file read impact can expose sensitive server-side data, while the HTML write impact can enable client-side attacks against users who visit the affected web directory.

Secure Access Client gets two local fixes

Ivanti Secure Access Client received fixes for two vulnerabilities affecting versions before 22.8R6. Both require local authenticated access, which limits remote exposure but still matters on shared or compromised endpoints.

CVE-2026-7431 is an incorrect permission assignment flaw that allows a local authenticated user to read or modify sensitive log data through write access to a shared memory section.

CVE-2026-7432 is more serious. It is a race condition that allows a local authenticated user to escalate privileges to SYSTEM, giving attackers a path to full control after gaining basic access to a device.

Ivanti vTM command injection requires admin access

Ivanti also patched CVE-2026-8051 in Virtual Traffic Manager. The issue affects vTM before version 22.9r4.

The vulnerability is an OS command injection flaw. Ivanti says a remote authenticated attacker with admin privileges could exploit it to achieve remote code execution.

The admin requirement reduces the chance of broad exploitation. Still, vTM appliances often sit in important traffic paths, so compromise can create serious operational and security risk.

Endpoint Manager flaws include credential leakage and RCE

Ivanti Endpoint Manager received fixes for three vulnerabilities before version 2024 SU6. These issues affect the Core Server, the EPM agent, and the web console.

CVE-2026-8109 allows a remote authenticated attacker to leak access credentials from the Core Server. That creates a lateral movement risk because exposed credentials can help attackers reach other systems.

CVE-2026-8110 allows a local authenticated attacker to escalate privileges through incorrect permissions in the EPM agent. CVE-2026-8111 is a SQL injection flaw in the EPM web console that allows a remote authenticated attacker to achieve remote code execution.

Ivanti says AI helped find some issues

Ivanti also used the May update to explain how it is using large language models in product security work. The company says its engineering and product security red teams have started using multiple LLMs to find vulnerabilities.

According to Ivanti, this approach has helped identify issues that traditional SAST and DAST tools missed, including some of the flaws disclosed in this release.

The company also expects vulnerability disclosure volume to increase as these AI-assisted review systems become more common. Ivanti says human reviewers still verify automated or agentic findings before disclosure.

What administrators should patch first

• Prioritize Ivanti Xtraction because CVE-2026-8043 is Critical and affects a web-facing enterprise reporting product.
• Patch Ivanti Endpoint Manager web console systems because CVE-2026-8111 can lead to remote code execution.
• Update Ivanti Virtual Traffic Manager if admin access could be exposed or shared across multiple operators.
• Update Secure Access Client deployments to 22.8R6 or later to remove local privilege and log data exposure risks.
• Review Endpoint Manager credentials and server logs after patching, especially if unusual activity appeared before the update.
• Restrict admin panels and web consoles to trusted networks and known administrator accounts.

Why this update matters for enterprise networks

Ivanti products often manage access, traffic routing, endpoint control, reporting, and enterprise operations. That makes these flaws important even when exploitation requires authentication.

Attackers often chain authenticated bugs with stolen credentials, phishing, password reuse, or earlier footholds. A vulnerability that looks limited on paper can become dangerous once an attacker already has low-level access.

Organizations should apply the updates through normal emergency or high-priority maintenance processes, then confirm that exposed consoles and management interfaces do not remain reachable from unnecessary networks.

FAQ