Ivanti CVEs & Vulnerabilities

15 CVEs affecting Ivanti products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

endpoint manager mobile 15secure access client 6endpoint manager 6virtual traffic manager 2standalone sentry 2xtraction 1desktop \& server management 1
CVE-2026-10520KEVCRITICALin the wild

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

9 Jun 2026
10.0
CVSS
CVE-2026-8992HIGH

An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

22 May 2026
8.8
CVSS
CVE-2026-8111HIGH

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

12 May 2026
8.8
CVSS
CVE-2026-8110HIGH

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

12 May 2026
7.8
CVSS
CVE-2026-8109MEDIUM

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

12 May 2026
6.5
CVSS
CVE-2026-8051HIGH

OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

12 May 2026
7.2
CVSS
CVE-2026-8043CRITICAL

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

12 May 2026
9.6
CVSS
CVE-2026-7432HIGH

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

12 May 2026
7.0
CVSS
CVE-2026-7431MEDIUM

An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

12 May 2026
4.4
CVSS
CVE-2026-7821CRITICAL

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.

7 May 2026
9.1
CVSS
CVE-2026-6973KEVHIGHin the wild

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

7 May 2026
7.2
CVSS
CVE-2026-5788CRITICAL

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

7 May 2026
9.8
CVSS
CVE-2026-5787CRITICAL

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

7 May 2026
9.1
CVSS
CVE-2026-5786HIGH

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

7 May 2026
8.8
CVSS
CVE-2026-3483HIGH

An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.

10 Mar 2026
7.8
CVSS
← PrevPage 1 / 1Next →