Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
AnalysisAI
Local privilege escalation in Ivanti Endpoint Manager agent allows authenticated users to gain SYSTEM-level privileges via incorrect file or registry permissions. Affects all versions prior to 2024 SU6. Vendor has released a patch (version 2024 SU6). No evidence of active exploitation or public POC identified at time of analysis, though EPSS data not available. Organizations running EPM agents on managed endpoints should prioritize patching given the high CVSS score (7.8) and potential for lateral movement across enterprise environments.
Technical ContextAI
This vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), where the Ivanti Endpoint Manager agent process assigns overly permissive access controls to critical files, registry keys, or named pipes. Endpoint management agents typically run with SYSTEM privileges to perform administrative tasks like software deployment, patch management, and configuration enforcement. When these agents create resources (configuration files, update directories, IPC mechanisms) with weak permissions allowing local authenticated users to modify them, attackers can inject malicious code or configuration that executes in the agent's privileged context. The CPE string (cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*) indicates all versions prior to the 2024 SU6 release are affected, spanning potentially years of product deployments across enterprise environments.
RemediationAI
Upgrade all Ivanti Endpoint Manager agents to version 2024 SU6 or later, following the deployment procedures documented in Ivanti's security advisory (https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026). Agent updates can typically be pushed centrally through the EPM console's software distribution functionality, though testing on non-production systems is recommended before enterprise-wide deployment to verify compatibility with existing policies and configurations. If immediate patching is not feasible, implement defense-in-depth controls: restrict local administrator group membership using least-privilege principles, enable Windows Defender Application Control or AppLocker to prevent unauthorized code execution even with elevated privileges, and monitor for unusual agent process behavior using EDR solutions (focus on child processes spawned by the EPM agent service or modifications to agent installation directories). Note that compensating controls only reduce risk and cannot fully mitigate the vulnerability, as the permissions weakness is inherent to the agent binary. Organizations should also review access logs for EPM-managed endpoints to identify any suspicious privilege escalation attempts prior to patching, particularly on high-value systems.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29490
GHSA-f4pp-6xvg-jr6j