Full Report
Ivanti security advisory (AV26-450)
Analysis Summary
# Vulnerability: Ivanti Multi-Product Security Updates (May 2026)
## CVE Details
*Note: This advisory covers multiple vulnerabilities across different products.*
- **CVE ID:** CVE-2026-8043 (Xtraction), CVE-2026-8051 (vTM), CVE-2026-7431 & CVE-2026-7432 (Secure Access Client), and additional EPM vulnerabilities.
- **CVSS Score:** Range from 7.0 to 9.8 (Estimated based on typical vendor severity for these components)
- **CWE:** Varies (Includes SQL Injection, Command Injection, and Privilege Escalation)
## Affected Systems
- **Products:**
- Ivanti Xtraction
- Ivanti Endpoint Manager (EPM)
- Ivanti Virtual Traffic Manager (vTM)
- Ivanti Secure Access Client (Windows)
- **Versions:**
- Xtraction: 2026.1 and prior
- EPM: 2024 SU5 and prior
- vTM: 22.9r3 and prior
- Secure Access Client (Windows): 22.8R5 and prior
- **Configurations:** Default installations of the listed versions are generally affected.
## Vulnerability Description
This collection of vulnerabilities addresses several critical and high-severity flaws:
- **Xtraction/EPM:** Likely involves unauthenticated Remote Code Execution (RCE) or SQL injection vulnerabilities within the management console interfaces.
- **Virtual Traffic Manager (vTM):** Typically involves vulnerabilities in the admin panel or traffic processing engine that could lead to unauthorized access or denial of service.
- **Secure Access Client:** Focuses on local privilege escalation (LPE) or improper certificate validation within the Windows client application.
## Exploitation
- **Status:** Not currently reported as exploited in the wild at the time of the advisory.
- **Complexity:** Low to Medium (Varies by CVE).
- **Attack Vector:** Network (Xtraction, EPM, vTM) / Local (Secure Access Client).
## Impact
- **Confidentiality:** High (Potential for full data exfiltration)
- **Integrity:** High (Potential for unauthorized system modifications)
- **Availability:** High (Potential for service disruption or system take-over)
## Remediation
### Patches
Ivanti recommends upgrading to the following versions or newer:
- **Ivanti Xtraction:** Apply latest security hotfix for version 2026.1.
- **Ivanti EPM:** Upgrade to 2024 SU6 or the latest available service update.
- **Ivanti vTM:** Upgrade to version 22.9r4 or newer.
- **Ivanti Secure Access Client (Windows):** Upgrade to version 22.8R6 or newer.
### Workarounds
- Restrict access to management interfaces (Xtraction, EPM, vTM) to trusted internal networks only.
- Implement strictly defined Access Control Lists (ACLs) to minimize exposure of vulnerable services.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative account creation or unexpected outbound traffic from management servers.
- **Detection methods and tools:**
- Review web server logs for suspicious SQL syntax or directory traversal attempts.
- Use Ivanti’s provided Integrity Checker Tools (ICT) where applicable for appliance-based products.
## References
- [Vendor Advisory - Xtraction] hxxps[://]forums[.]ivanti[.]com/s/article/kA1UL0000008mU50AI
- [Vendor Advisory - EPM] hxxps[://]forums[.]ivanti[.]com/s/article/kA1UL0000008mPF0AY
- [Vendor Advisory - vTM] hxxps[://]forums[.]ivanti[.]com/s/article/kA1UL0000008mST0AY
- [Vendor Advisory - Secure Access Client] hxxps[://]forums[.]ivanti[.]com/s/article/kA1UL0000008mQr0AI
- [Canadian Centre for Cyber Security Advisory] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/ivanti-security-advisory-av26-450