Ivanti VPN Client Critical RCE SYSTEM Vulnerabilities

A critical security advisory for its Secure Access Client. Originally published on May 12, 2026, the advisory received a severe escalation on May 22, 2026, with the addition of a high-severity Remote Code Execution (RCE) flaw.

The updated advisory addresses a total of three vulnerabilities one medium and two high severity, affecting Ivanti Secure Access Client versions 22.8R5 and prior on Windows.

While Ivanti reports no active exploitation in the wild at the time of disclosure, the nature of these vulnerabilities requires immediate remediation.

Threat actors routinely reverse-engineer patches for remote access tools within days of release, making swift deployment of the newly issued version 22.8R6 an imperative for enterprise network defenders.

Remote access clients sit at the crucial intersection of the public internet and secure internal corporate networks. Consequently, vulnerabilities in these applications provide highly lucrative footholds for threat actors seeking initial access or privilege escalation.

Over the past few years, the cybersecurity community has witnessed a surge in attacks targeting VPN appliances and secure access clients. The vulnerabilities disclosed in this May 2026 advisory represent a perfect storm of exploit chaining potential: a remote unauthenticated attack vector paired with local privilege escalation capabilities.

By chaining these vulnerabilities, an attacker could theoretically compromise a remote workstation, escalate their privileges to the highest system level, and use the compromised host as a beachhead to pivot laterally into the corporate network.

Understanding the technical mechanics of each CVE is vital for security operations centers (SOCs) to develop proper detection engineering rules and threat hunting strategies.

Ivanti Fixed Flaws in VPN Client

Added to the advisory on May 22, this is arguably the most critical flaw in the bundle. Tracked under CWE-295 (Improper Certificate Validation), this vulnerability exists in the way the Ivanti Secure Access Client processes digital certificates prior to version 22.8R6.

Improper certificate validation occurs when an application fails to adequately verify the identity of the remote endpoint it is connecting to, or fails to properly sanitize the contents of the certificate chain being presented. In this specific instance, the flaw allows a remote, unauthenticated attacker to execute arbitrary code.

Because the attack vector is network-based (AV:N) and requires no privileges (PR:N), a threat actor could intercept traffic or set up a malicious server to feed a crafted certificate to the client.

The requirement of user interaction (UI:R) slightly mitigates the severity, bringing the score to 8.8 rather than a perfect 10.0, as the attacker must entice the victim to connect to a malicious endpoint or successfully execute a Man-in-the-Middle (MitM) attack.

Tracked under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization), this vulnerability allows a locally authenticated user to escalate their system privileges to SYSTEM.

Race conditions in Windows client applications frequently occur when an installer, updater, or highly privileged background service temporarily modifies file permissions, writes to a directory, or executes a binary without proper synchronization locking.

If an attacker can accurately time their execution (the “race”), they can replace a legitimate file or hijack a process thread during that microsecond window.

Because the Ivanti Secure Access Client operates with high-level system privileges to manage network adapters and routing tables, successfully winning this race condition grants the attacker NT AUTHORITY\SYSTEM rights.

This allows for the total compromise of the host machine, the disabling of endpoint detection and response (EDR) sensors, and the installation of persistent rootkits.

The final vulnerability, tracked as CWE-732 (Incorrect Permission Assignment for Critical Resource), represents a severe data exposure risk. In versions prior to 22.8R6, the Secure Access Client suffers from weak access controls surrounding a shared memory section used for logging.

Because of this misconfiguration, any locally authenticated user even those with low privileges can gain read or write access to sensitive log data. In an enterprise environment, VPN logs often contain highly sensitive telemetry, including session tokens, internal routing schemes, username strings, and potentially poorly obfuscated credential hashes.

An attacker who has already achieved initial access via phishing could utilize this flaw to harvest sensitive network topography data or modify the logs to cover their tracks, severely hindering digital forensics and incident response (DFIR) investigations.

The discovery of these vulnerabilities underscores the necessity for continuous vulnerability management and the adoption of Zero Trust Network Access (ZTNA) architectures.

The security researchers credited with the responsible disclosure John Rodriguez of CyberDagger, LLC, and YeongSik Moon have provided the community with a vital head start against potential threat actors.

Mitigation

Organizations must immediately audit their fleets to identify endpoints running Ivanti Secure Access Client versions 22.8R5 and older.

Deploy Patch 22.8R6: Administrators must download and deploy the fixed version (22.8R6) via the Ivanti Download Portal.
Verify Server Compatibility: Upgrading the client requires ensuring compatibility with the backend infrastructure. The fixed client is confirmed compatible with:
- Ivanti Connect Secure: 25.1.1.0, 22.8R2.3, and 22.7R2.12
- Ivanti Policy Secure: 22.7R1.12
- Ivanti Neurons for ZTNA: 22.8R1.10
Monitor for Anomalies: Although no indicators of compromise (IoCs) currently exist due to the lack of active exploitation, security teams should baseline normal Secure Access Client behavior. SOCs should monitor for unexpected child processes spawning from the Ivanti executable (to detect CVE-2026-8992 or CVE-2026-7432) and unusual access patterns to Ivanti’s shared memory segments.