Ivanti has released its May 2026 security updates, addressing security vulnerabilities across its popular products. The list of vulnerabilities and impacted products includes:
- Ivanti Xtraction — CVE-2026-8043
- Ivanti Virtual Traffic Manager (vTM) — CVE-2026-8051
- Ivanti Secure Access Client — CVE-2026-7431 and CVE-2026-7432
- Ivanti Endpoint Manager (EPM) — CVE-2026-8109, CVE-2026-8110, CVE-2026-811
CVE-2026-8043: Ivanti Xtraction Path Traversal & Arbitrary File Write Vulnerability
External control of a file name in Ivanti Xtraction may allow a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory. Successful exploitation of the vulnerability may result in information disclosure and potential client-side attacks.
CVE-2026-8051: Ivanti Virtual Traffic Manager (vTM) OS Command Injection Vulnerability
OS command injection vulnerability in Ivanti Virtual Traffic Manager could allow a remote authenticated attacker to achieve remote code execution. An attacker must have admin privileges to exploit the vulnerability.
CVE-2026-7431: Ivanti Secure Access Client Sensitive Log Data Exposure Vulnerability
An incorrect permission assignment for the critical Ivanti Secure Access Client resource could allow a local, authenticated user to read or modify sensitive log data by granting write access to a shared memory section.
CVE-2026-7432: Ivanti Secure Access Client Local Privilege Escalation Vulnerability
A race condition flaw in Ivanti Secure Access Client could allow a locally authenticated user to escalate privileges to SYSTEM.
CVE-2026-8109: Ivanti Endpoint Manager Credential Leakage Vulnerability
An exposed, dangerous method on the Core Server of Ivanti Endpoint Manager could allow a remote authenticated attacker to leak access credentials.
CVE-2026-8110: Ivanti Endpoint Manager Agent Privilege Escalation Vulnerability
Incorrect permissions assignment in the Ivanti Endpoint Manager agent may allow a local, authenticated attacker to escalate their privileges.
CVE-2026-8111: Ivanti Endpoint Manager SQL Injection Vulnerability
An SQL injection vulnerability in the web console of Ivanti Endpoint Manager could allow a remote authenticated attacker to achieve remote code execution.
Affected Versions
CVE-2026-8109, CVE-2026-8110, and CVE-2026-811:
Ivanti Endpoint Manager (EPM) versions 2024 SU5 and prior.
CVE-2026-8043:
Ivanti Xtraction versions 2026.1 and prior.
CVE-2026-7431 and CVE-2026-7432:
Ivanti Secure Access Client (Windows) versions 22.8R5 and prior.
CVE-2026-8051:
Ivanti Virtual Traffic Manager (vTM) versions 22.9r3 and prior.
Mitigation
CVE-2026-8109, CVE-2026-8110, and CVE-2026-811:
Ivanti Endpoint Manager (EPM) version 2024 SU6.
CVE-2026-8043:
Ivanti Xtraction version 2026.2.
CVE-2026-7431 and CVE-2026-7432:
Ivanti Secure Access Client (Windows) version 22.8R6.
CVE-2026-8051:
Ivanti Virtual Traffic Manager (vTM) version 22.9r4.
Qualys Detection
Qualys customers can scan their devices with QIDs 387376 and 387320 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://hub.ivanti.com/s/article/Security-Advisory—Ivanti-Xtraction-CVE-2026-8043?language=en_US
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026?language=en_US
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2026-8051?language=en_US
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Secure-Access-Client-CVE-2026-7431-CVE-2026-7432?language=en_US
