Description
An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

An exposed method in Ivanti Desktop and Server Management is documented as CWE‑749, indicating an insecure design flaw that allows a local authenticated user to perform actions beyond intended permissions. This flaw can be exploited to elevate privileges within the DSM application, enabling execution of arbitrary code with higher rights. Because the method is accessible to legitimate users, the attack requires only local authentication and bypasses normal authorization controls, potentially compromising the entire server environment.

Affected Systems

Ivanti Desktop and Server Management, version ranges before 2026.1.1 are affected. Any deployment of the DSM product prior to the 2026.1.1 release is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating moderate to high severity. EPSS is less than 1%, suggesting low exploitation probability at present, and the issue is not listed in CISA’s known‑exploited vulnerabilities catalog. Attackers must have local authenticated access, but once they do, privilege escalation is achievable without needing remote code execution. The risk is therefore primarily limited to systems where local users have elevated privileges. Organizations with strict local user controls and prompt patching can mitigate the threat.

Generated by OpenCVE AI on April 17, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti DSM to version 2026.1.1 or later.
  • Restrict local user privileges to prevent unauthorized method invocation.
  • Enable auditing or logging for DSM services to detect suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Exposed Method in Ivanti Desktop and Server Management

Thu, 12 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti desktop \& Server Management
CPEs cpe:2.3:a:ivanti:desktop_\&_server_management:*:*:*:*:*:*:*:*
Vendors & Products Ivanti desktop \& Server Management

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti desktop\&server Management
Vendors & Products Ivanti
Ivanti desktop\&server Management

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
Weaknesses CWE-749
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Desktop\&server Management Desktop \& Server Management
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-03-11T03:56:43.597Z

Reserved: 2026-03-03T15:08:57.000Z

Link: CVE-2026-3483

cve-icon Vulnrichment

Updated: 2026-03-10T14:58:08.046Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:19:01.720

Modified: 2026-03-12T13:58:06.347

Link: CVE-2026-3483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses