Ivanti Releases May 2026 Security Updates: Seven CVEs and a Critical SQLi-to-RCE Vulnerability

Ivanti released security updates on May 13, 2026, for four enterprise-grade products—Secure Access Client, Virtual Traffic Manager, Xtraction, and Endpoint Manager—addressing a total of seven vulnerabilities. The bulletin is headlined by a SQL injection in the Endpoint Manager (EPM) web console that can lead to remote code execution (RCE) without administrative privileges, and a dangerous method exposure in the Core Server that could allow credential exfiltration. These patches come as Ivanti integrates Large Language Models (LLMs) into its internal red team workflows to discover flaws before independent researchers do, yet the frequency of critical security disclosures remains high.

The affected products represent a critical security perimeter for large organizations: EPM manages the entire device fleet, while Secure Access Client and vTM control remote access and traffic balancing. Ivanti's recurring presence in CISA’s KEV catalog—despite reference to previous vulnerabilities—and the historical targeting of its software by ransomware and APT groups make timely patching a non-negotiable priority for security teams.

SQL Injection to RCE in the EPM Web Console

The CVE-2026-8111 vulnerability resides within the Ivanti Endpoint Manager web console and is classified as a SQL injection (CWE-89). An authenticated remote attacker, even without administrative rights, can exploit this to execute arbitrary code on the server. The PR:L (Privileges Required: Low) designation indicates that standard user credentials are sufficient to trigger the chain leading to remote code execution. This scenario is particularly critical because the EPM console manages software distribution and corporate device policies; a compromise at this level effectively grants control over endpoint management infrastructure and facilitates lateral movement.

Because the flaw is authenticated but non-privileged, any account with console access can initiate the attack. While specific CVSS scores were not provided in the available sources, the criticality of the exposed component leaves no room for delay in remediation.

Credential Exfiltration and Potential Authentication Bypass

CVE-2026-8109 affects the EPM Core Server and is categorized as an exposed dangerous method (CWE-749). The defect allows an authenticated remote user to extract access credentials from the system. Although Ivanti maintains that exploitation requires authentication, independent technical analyses indicate the existing mechanism could be bypassed. This detail, while not officially verified by the vendor, significantly raises the threat level by lowering the barrier to sensitive data access. The exfiltration of administrative or service credentials would compromise trust across the entire management perimeter.

Ivanti did not provide detailed CVSS scores for each CVE in the consulted sources; therefore, risk assessment relies on qualitative descriptors and the sensitivity of the affected components. The combination of credential theft and a potential authentication bypass positions this flaw as a top priority for May's patching cycle.

Five Additional Flaws: From vTM to Xtraction

In addition to the three Endpoint Manager flaws—the third being a local privilege escalation in the EPM agent (CVE-2026-8110)—the May 13 bulletin addresses three other products. Secure Access Client resolves two local issues: sensitive log exposure (CVE-2026-7431) and a privilege escalation (CVE-2026-7432), both affecting versions up to 22.8R6. Virtual Traffic Manager patches an OS command injection in the administrative interface (CVE-2026-8051) for releases prior to 22.9r4, while Xtraction fixes a path traversal vulnerability allowing arbitrary file writes (CVE-2026-8043) in versions before 2026.2.

According to official communications, none of these flaws affect other products in the Ivanti portfolio. Mitigation requires upgrading to EPM 2024 SU6, Secure Access Client 22.8R6, vTM 22.9r4, and Xtraction 2026.2. No information regarding independent verification of these patches was available at the time of reporting.

"Ivanti confirmed that none of these vulnerabilities have been exploited in the wild and that they do not affect any other Ivanti solutions."

The Role of AI in Vulnerability Discovery

Ivanti stated that several of the seven vulnerabilities identified in the May Patch Tuesday were found using security reviews assisted by Large Language Models (LLMs) integrated into their internal red team workflow. This approach is intended to identify flaws that traditional SAST and DAST tools might miss. While this methodological shift does not change the nature of the vulnerabilities themselves, it demonstrates the vendor’s move toward proactive discovery despite a consistently high volume of security corrections.

The integration of LLMs in red teaming follows a broader industry trend, though Ivanti has not yet provided comparative metrics on discovery rates versus conventional tools. The verifiable outcome remains seven closed CVEs in a single bulletin, some attributed to automated reviews. However, it remains to be seen if the use of LLMs will successfully reduce the lead time between the introduction of vulnerable code and the release of a patch.

Recommended Security Measures

• Update Ivanti Endpoint Manager to version 2024 SU6 or later immediately, as the three associated CVEs allow for RCE, credential theft, and local escalation.
• Apply patches for Secure Access Client 22.8R6, Virtual Traffic Manager 22.9r4, and Xtraction 2026.2 according to corporate patch management policies.
• Restrict EPM web console exposure to the internal network or via VPN to reduce the attack surface for vectors requiring authenticated remote access.
• Monitor EPM Core Server authentication logs and console database queries for anomalous access patterns or suspicious activity while updates are being finalized.

The May bulletin sends a dual message: Ivanti is attempting to bridge the gap between discovery and remediation using AI, yet the presence of a classic SQL injection leading to RCE serves as a reminder that advanced tools do not replace the need for rigorous input validation in management consoles. For enterprises relying on EPM to secure their endpoint networks, patching remains the only metric that matters.

Frequently Asked Questions

Why is the EPM SQL injection classified as RCE if it requires authentication?

Vulnerability CVE-2026-8111 is exploitable by an authenticated remote user with low privileges (PR:L). The SQL injection in the web console allows for arbitrary code execution on the server without administrative rights, making it a viable vector for total platform compromise.

Does the authentication requirement for CVE-2026-8109 significantly reduce risk?

Not entirely. While Ivanti classifies the vulnerability as requiring authentication, independent technical reports suggest the current mechanism could be bypassed. This potential, unverified bypass makes the flaw more dangerous than a standard post-authentication disclosure.

Do these patches cover the entire Ivanti suite?

No. The bulletin specifically addresses four products—EPM, Secure Access Client, Virtual Traffic Manager, and Xtraction—covering seven CVEs. Ivanti has explicitly stated that these vulnerabilities do not affect other solutions in their portfolio.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.systemtek.co.uk/2026/05/ivanti-endpoint-manager-remotecontrolauth-exposed-dangerous-method-information-disclosure-vulnerability-cve-2026-8109/
• https://cybersecuritynews.com/ivanti-patches-multiple-vulnerabilities/