Description
OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in Ivanti Virtual Traffic Manager versions before 22.9r4, enabling a remote authenticated attacker who holds administrative privileges to execute arbitrary system commands. The vulnerability, classified as CWE‑78, can lead to full control over the host, compromising confidentiality, integrity, and availability of the managed network infrastructure.

Affected Systems

Ivanti Virtual Traffic Manager is affected for all releases older than version 22.9r4. Systems running these unpatched versions are at risk when administrators log in and issue management commands that are improperly sanitized.

Risk and Exploitability

The flaw carries a CVSS score of 7.2, indicating high severity. While the EPSS score is not available, the absence of a fix in the CISA KEV catalog suggests exploitation is not widely reported yet, but the requirement of admin authentication means only privileged users can initiate an attack. An attacker would exploit the command injection by sending crafted input through the administration interface, causing the vulnerable system to interpret and execute the injected commands end‑to‑end.

Generated by OpenCVE AI on May 12, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Ivanti Virtual Traffic Manager update v22.9r4 or newer to eliminate the command injection flaw.
  • If a patch is not immediately available, restrict the administration interface to a trusted internal network segment and enforce strict least‑privilege access, ensuring only authorized administrators can log in.
  • Continuously monitor system logs for unexpected command execution or abnormal activity that could indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on May 12, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection Enabling Remote Code Execution in Ivanti Virtual Traffic Manager
First Time appeared Ivanti
Ivanti virtual Traffic Manager
Vendors & Products Ivanti
Ivanti virtual Traffic Manager

Tue, 12 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Virtual Traffic Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-13T03:57:57.542Z

Reserved: 2026-05-06T17:50:37.100Z

Link: CVE-2026-8051

cve-icon Vulnrichment

Updated: 2026-05-12T18:58:19.062Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T15:16:17.267

Modified: 2026-05-12T16:38:24.040

Link: CVE-2026-8051

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T16:30:19Z

Weaknesses