Description
A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a race condition (CWE-362) in Ivanti Secure Access Client that allows an authenticated local user to elevate privileges to SYSTEM. By exploiting the timing flaw, an attacker can race execution paths that grant them full system‑level access. With SYSTEM rights, they can read or modify any data, install software, or establish persistence, effectively taking control of the host.

Affected Systems

The vulnerability affects Ivanti Secure Access Client, with no specific version information provided. Any build installed prior to the vendor issue fix may be susceptible until a patch is applied.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the local attack vector remains significant. A legitimate local user can trigger the race condition, achieving SYSTEM privileges and compromising the entire machine.

Generated by OpenCVE AI on May 12, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Ivanti to obtain the latest security release or patch that addresses the race condition.
  • Limit local user permissions where possible to reduce the potential impact of a privilege escalation attempt.
  • Enable auditing and closely monitor system activity for unusual SYSTEM‑level actions that may indicate exploitation.

Generated by OpenCVE AI on May 12, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:ivanti:secure_access_client:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r1:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r2:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r3:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r4:*:*:*:*:*:*
cpe:2.3:a:ivanti:secure_access_client:22.8:r5:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Race Condition Enables Local Privilege Escalation to SYSTEM in Ivanti Secure Access Client

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti secure Access Client
Vendors & Products Ivanti
Ivanti secure Access Client

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Secure Access Client
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-13T03:57:55.320Z

Reserved: 2026-04-29T15:17:02.853Z

Link: CVE-2026-7432

cve-icon Vulnrichment

Updated: 2026-05-12T18:46:25.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T15:16:17.027

Modified: 2026-05-12T19:53:00.133

Link: CVE-2026-7432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T17:30:21Z

Weaknesses