Description
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
Published: 2026-05-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper certificate validation flaw in Ivanti Secure Access Client allows a remote unauthenticated attacker to execute arbitrary code. The vulnerability exists when the client accepts a server certificate without performing proper validation, enabling an attacker to supply a forged certificate and control the client’s execution flow. The flaw targets the trust‑anchor handling mechanism (CWE-295) and can lead to complete compromise of the machine where the client runs.

Affected Systems

Ivanti Secure Access Client versions earlier than 22.8R6 are affected. These versions are distributed under the Ivanti brand and use the Secure Access Client product for remote connectivity.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the lack of an EPSS value means the exploitation probability is uncertain. The vulnerability is remote and does not require authentication, allowing attackers to reach systems that use the client over the network. Because the flaw permits arbitrary code execution, the confidentiality, integrity, and availability of the connected systems are all at risk. The vulnerability is not currently listed in CISA’s KEV catalog. An attacker could exploit the flaw by establishing an SSL/TLS connection to a malicious server presenting a forged certificate that passes the client’s flawed validation routine, thereby triggering code execution on the client side.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Ivanti Secure Access Client update that includes the certificate validation fix (v22.8R6 or later).
  • Configure the client to use only trusted certificate authorities and enable strict certificate verification.
  • Monitor network traffic and client logs for attempts to connect using untrusted or forged certificates and block suspicious connections.

Generated by OpenCVE AI on May 22, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti secure Access Client
Vendors & Products Ivanti
Ivanti secure Access Client

Fri, 22 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Improper Certificate Validation in Ivanti Secure Access Client Enables Remote Code Execution

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Secure Access Client
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-23T03:55:55.923Z

Reserved: 2026-05-19T13:23:34.796Z

Link: CVE-2026-8992

cve-icon Vulnrichment

Updated: 2026-05-22T14:48:59.684Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T17:00:14Z

Weaknesses