Skip to main content

Ivanti Secure Access Client CVE-2026-7432

| EUVDEUVD-2026-29486 HIGH
Race Condition (CWE-362)
2026-05-12 ivanti GHSA-3p86-c4c4-99r5
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 15:31 vuln.today
CVE Published
May 12, 2026 - 14:21 nvd
HIGH 7.8

DescriptionCVE.org

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

AnalysisAI

Race condition in Ivanti Secure Access Client enables local privilege escalation to SYSTEM from low-privileged accounts. Affects versions before 22.8R6. An authenticated local user can exploit timing vulnerabilities in the client software to gain complete system control. While limited to local attack vector (requires existing access to the target system), the low attack complexity (AC:L) and lack of user interaction requirement (UI:N) make this exploitable once local access is achieved. No public exploit code identified at time of analysis, and EPSS risk scoring not yet available for this 2026 CVE.

Technical ContextAI

This vulnerability stems from a race condition (CWE-362), a time-of-check to time-of-use (TOCTOU) flaw where multiple threads or processes access shared resources without proper synchronization. Ivanti Secure Access Client, an enterprise VPN and secure remote access solution, runs components with elevated SYSTEM privileges on Windows endpoints. The race condition likely occurs during privileged operations where the client validates authorization or security state, then performs an action based on that validation - with a timing window where an attacker can modify the state between check and use. The CPE identifier cpe:2.3:a:ivanti:secure_access_client:*:*:*:*:*:*:*:* indicates all versions prior to the fixed release are affected across all deployment platforms. Race conditions are particularly dangerous in security-critical software because they create non-deterministic exploitation opportunities that may bypass traditional security controls.

RemediationAI

Upgrade Ivanti Secure Access Client to version 22.8R6 or later, as confirmed by the official Ivanti security advisory at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Secure-Access-Client-CVE-2026-7431-CVE-2026-7432. The vendor advisory should be consulted for deployment-specific upgrade procedures and any prerequisite patches. If immediate patching is not feasible, implement compensating controls by restricting local administrator privileges on endpoints running vulnerable clients, enforcing strict user access policies through Windows Group Policy to limit who can authenticate locally, and enhancing monitoring for unusual privilege escalation attempts via Windows Event ID 4672 (Special privileges assigned to new logon) and 4673 (A privileged service was called). Deploy endpoint detection and response (EDR) solutions configured to alert on processes spawning with SYSTEM privileges from user-initiated contexts. Note that these mitigations only reduce attack surface and do not eliminate the vulnerability - race conditions cannot be reliably prevented through external controls once an attacker has local authenticated access. Organizations must prioritize the vendor patch as the only complete remediation.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-7432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy