Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
AnalysisAI
Remote code execution in Ivanti Virtual Traffic Manager allows authenticated administrators to execute arbitrary OS commands via command injection. Affects all versions before 22.9r4. Attack requires network access and administrative credentials but has low complexity (CVSS AC:L). No active exploitation confirmed at time of analysis, though administrative access requirement significantly limits attack surface compared to unauthenticated RCE vulnerabilities.
Technical ContextAI
Ivanti Virtual Traffic Manager (vTM) is a software-based application delivery controller and load balancer. This vulnerability stems from CWE-78 (OS Command Injection), where user-supplied input from an authenticated administrator is improperly neutralized before being passed to system command execution functions. The flaw allows attackers to break out of intended command contexts and inject additional operating system commands. Given the administrative interface context and network attack vector (AV:N), this likely affects the web-based management console or API endpoints that interact with underlying system processes. The CPE string (cpe:2.3:a:ivanti:virtual_traffic_manager:*:*:*:*:*:*:*:*) indicates all product variants are affected regardless of platform, with version constraint applying universally up to the fixed release.
RemediationAI
Vendor-released patch: upgrade to Ivanti Virtual Traffic Manager version 22.9r4 or later, as confirmed by Ivanti Security Advisory SA-2026-05 (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2026-8051?language=en_US). This is the primary remediation path. Until patching is completed, implement compensating controls targeting the high-privilege requirement: enforce multi-factor authentication on all administrative accounts, restrict administrative console access to specific source IP addresses or management networks using firewall rules or access control lists, enable comprehensive audit logging of all administrative actions to detect potential exploitation attempts, and review administrative account usage for anomalous command execution patterns. Monitor for unusual process spawning from vTM management services. Note that IP-based restrictions may complicate legitimate remote administration and MFA adds operational overhead but both significantly raise attacker cost. Administrative session timeouts should be minimized to reduce credential exposure window. These mitigations do not eliminate the vulnerability but substantially reduce exploitability by protecting the prerequisite administrative access vector.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29488
GHSA-3rm6-879f-q3r2