Description
An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
Published: 2026-05-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incorrect permission assignment for a critical resource in Ivanti Secure Access Client prior to version 22.8R6. A local authenticated user can obtain write access to a shared memory section and thereby read or modify sensitive log data, compromising the confidentiality and integrity of logs. This is a CWE‑732 issue and does not provide a path to remote execution or privilege escalation beyond the local user.

Affected Systems

Ibanti Secure Access Client versions older than 22.8R6 are affected. Users running the client on a host with local authentication are at risk.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity, and the EPSS score is not available, so the exploitation probability remains uncertain. The vulnerability is not listed in the CISA KEV catalog, and the attack vector requires local authentication; an attacker with a valid user account can manipulate the shared memory section. The risk is limited to users who already have local access, though compromising log data may facilitate further attacks.

Generated by OpenCVE AI on May 12, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ivanti Secure Access Client to version 22.8R6 or later, which fixes the permission issue.
  • Apply any vendor‑supplied security updates for Secure Access Client promptly.
  • If an immediate upgrade is not possible, restrict user privileges or disable the shared memory feature to prevent write access until a patch is applied.

Generated by OpenCVE AI on May 12, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:ivanti:secure_access_client:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r5:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Local Authenticated User Can Modify Sensitive Logs via Shared Memory in Ivanti Secure Access Client
First Time appeared Ivanti
Ivanti secure Access Client
Vendors & Products Ivanti
Ivanti secure Access Client

Tue, 12 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ivanti Secure Access Client
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-12T15:45:16.934Z

Reserved: 2026-04-29T15:17:01.170Z

Link: CVE-2026-7431

cve-icon Vulnrichment

Updated: 2026-05-12T15:45:11.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T15:16:16.883

Modified: 2026-05-12T19:53:39.127

Link: CVE-2026-7431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses