Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM
AnalysisAI
Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.
Technical ContextAI
This vulnerability stems from a race condition (CWE-362), a time-of-check to time-of-use (TOCTOU) flaw where multiple threads or processes access shared resources without proper synchronization. Ivanti Secure Access Client, an enterprise VPN and secure remote access solution, runs components with elevated SYSTEM privileges on Windows endpoints. The race condition likely occurs during privileged operations where the client validates authorization or security state, then performs an action based on that validation - with a timing window where an attacker can modify the state between check and use. The CPE identifier cpe:2.3:a:ivanti:secure_access_client:*:*:*:*:*:*:*:* indicates all versions prior to the fixed release are affected across all deployment platforms. Race conditions are particularly dangerous in security-critical software because they create non-deterministic exploitation opportunities that may bypass traditional security controls.
RemediationAI
Upgrade Ivanti Secure Access Client to version 22.8R6 or later, as confirmed by the official Ivanti security advisory at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Secure-Access-Client-CVE-2026-7431-CVE-2026-7432. The vendor advisory should be consulted for deployment-specific upgrade procedures and any prerequisite patches. If immediate patching is not feasible, implement compensating controls by restricting local administrator privileges on endpoints running vulnerable clients, enforcing strict user access policies through Windows Group Policy to limit who can authenticate locally, and enhancing monitoring for unusual privilege escalation attempts via Windows Event ID 4672 (Special privileges assigned to new logon) and 4673 (A privileged service was called). Deploy endpoint detection and response (EDR) solutions configured to alert on processes spawning with SYSTEM privileges from user-initiated contexts. Note that these mitigations only reduce attack surface and do not eliminate the vulnerability - race conditions cannot be reliably prevented through external controls once an attacker has local authenticated access. Organizations must prioritize the vendor patch as the only complete remediation.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-362 – Race Condition
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29486
GHSA-3p86-c4c4-99r5