ivanti

Vendors · ivanti

· 94 Critical491 known vulnerabilities across 40 products

Total CVEs

491

Critical

Products

Search All CVEs →

491

Products (40)

connect secure130 CVEs avalanche117 CVEs endpoint manager116 CVEs policy secure77 CVEs endpoint manager mobile28 CVEs workspace control22 CVEs secure access client21 CVEs zero trust access gateway17 CVEs neurons for secure access15 CVEs cloud services appliance7 CVEs desktop \& server management6 CVEs neurons for itsm6 CVEs landesk management suite6 CVEs neurons for zero-trust access5 CVEs endpoint manager cloud services appliance5 CVEs incapptic connect3 CVEs security controls3 CVEs standalone sentry3 CVEs application control2 CVEs automation2 CVEs mobileiron2 CVEs virtual traffic manager2 CVEs neurons agent platform1 CVEs patch for configuration manager1 CVEs patch software development kit1 CVEs performance manager1 CVEs mobileiron sentry1 CVEs pulse secure desktop client1 CVEs pulse secure installer service1 CVEs endpoint security1 CVEs dsm remote1 CVEs service manager1 CVEs service manager heat remote control1 CVEs dsm netinst1 CVEs velocity license server1 CVEs virtual application delivery controller1 CVEs desktop\&server management1 CVEs docs\@work1 CVEs xtraction1 CVEs neurons for patch management1 CVEs

Recent Vulnerabilities

View all 491 →

CVE-2026-10520CRITICAL 10.0KEV

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

CVE-2026-8992HIGH 8.8

An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.

CVE-2026-8111HIGH 8.8

SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.

CVE-2026-8110HIGH 7.8

Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.

CVE-2026-8109MEDIUM 6.5

An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

CVE-2026-8051HIGH 7.2

OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CVE-2026-8043CRITICAL 9.6

External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks.

CVE-2026-7432HIGH 7.8

A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM

CVE-2026-7431MEDIUM 4.4

An incorrect permission assignment for critical resource of Ivanti Secure Access Client before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.

CVE-2026-6973HIGH 7.2KEV

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

CVE-2026-7821HIGH 7.4

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.

CVE-2026-5788HIGH 7.0

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

CVE-2026-5787HIGH 8.9

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

CVE-2026-5786HIGH 8.8

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

CVE-2026-3483HIGH 7.8

An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.

CVE-2026-1603HIGH 8.6KEV

An authentication bypass in Ivanti Endpoint Manager before version 2024 SU5 allows a remote unauthenticated attacker to leak specific stored credential data.

CVE-2026-1602MEDIUM 6.5

SQL injection in Ivanti Endpoint Manager before version 2024 SU5 allows a remote authenticated attacker to read arbitrary data from the database.

CVE-2026-1340CRITICAL 9.8KEV

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CVE-2026-1281CRITICAL 9.8KEV

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

CVE-2025-13662HIGH 7.8

Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.

CVE-2025-13661HIGH 7.1

Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.

CVE-2025-13659HIGH 8.8

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

CVE-2025-10573CRITICAL 9.6

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

CVE-2025-10918HIGH 7.1

Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk

CVE-2025-10986MEDIUM 4.7

Path traversal in the admin panel of Ivanti EPMM before version 12.6.0.2, 12.5.0.4, and 12.4.0.4 allows a remote authenticated attacker with admin privileges to write data in unintended locations on disk.