Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN499
_____________________________________________________________________

DATE                : 13/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Secure Access Client
                              versions prior to 22.8R6.

=====================================================================
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Secure-Access-Client-CVE-2026-7431-CVE-2026-7432?language=en_US
_____________________________________________________________________

May 2026 Security Advisory Ivanti Secure Access Client (CVE-2026-7431,
CVE-2026-7432)

Primary Product
Connect-Secure

Created Date
12-May-2026 14:02:49

Last Modified Date
12-May-2026 14:02:49

Summary

Ivanti has released updates for the Ivanti Secure Access Client   
which addresses one medium severity vulnerability and one High
severity vulnerability. 

We are not aware of any customers being exploited by these
vulnerabilities at the time of disclosure.


Vulnerability Details

CVE Number  Description   CVSS Score (Severity)  CVSS Vector  CWE

CVE-2026-7431
An incorrect permission assignment for critical resource of Ivanti
Secure Access Client   before 22.8R6 allows a local authenticated
user to read or modify sensitive log data via write access to a
shared memory section.
4.4(Medium)
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-732

CVE-2026-7432
A race condition in Ivanti Secure Access Client before 22.8R6 allows
a locally authenticated user to escalate privileges to SYSTEM
7.8(High)
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-362

 
Affected Versions

Product Name        Affected Version(s)    Resolved Version(s)
Patch Availability

Ivanti Secure Access Client (Windows)  22.8R5 and prior
22.8R6            Download Portal

 
Solution

Customers should apply the fixed version of the client, 22.8R6.
Below are the compatible server versions for the fixed client:

Ivanti Connect Secure 25.1.1.0, 22.8R2.3 (compatible), and 22.7R2.12 (compatible).
Ivanti Policy Secure 22.7R1.12
Ivanti Neurons for ZTNA 22.8R1.10
 

Acknowlegements

Ivanti would like to thank the following for reporting the relevant
issues and for working with Ivanti to help protect our customers:

John Rodriguez, CyberDagger, LLC
Note: Ivanti is dedicated to ensuring the security and integrity of
our enterprise software products. We recognize the vital role that
security researchers, ethical hackers, and the broader security
community play in identifying and reporting vulnerabilities. Visit
HERE to learn more about our Vulnerability Disclosure Policy.

 
FAQ

1:Are you aware of any active exploitation of these vulnerabilities?

We are not aware of any customers being exploited by these
vulnerabilities prior to public disclosure. These vulnerabilities
were disclosed through our responsible disclosure program.

 
2: How can I tell if I have been compromised?

Currently, there is no known public exploitation of this vulnerability
that could be used to provide a list of indicators of compromise.

 
3: What should I do if I need help? 

If you have questions after reviewing this information, you can log
a case and/or request a call via the Success Portal.

Article Number : 000106656
Article Promotion Level
Normal
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================