CVE-2026-8992
published 2026-05-22CVE-2026-8992: An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary…
PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.56%
42.6th percentile
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | secure_access_client | <= 22.7 | — |
| ivanti | secure_access_client | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Vulnerability affects Ivanti Secure Access Client versions before 22.8R6. Patching to 22.8R6 or later is required to remediate the improper certificate validation flaw (CWE-295) that enables unauthenticated RCE. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvelistv5v3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-748c-m6r6-qw5q: An improper certificate validation vulnerability in Ivanti Secure Access Client before 22
ghsa_unreviewed·2026-05-26
CVE-2026-8992 [HIGH] CWE-295 GHSA-748c-m6r6-qw5q: An improper certificate validation vulnerability in Ivanti Secure Access Client before 22
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
CVEList
CVE-2026-8992: An improper certificate validation vulnerability in Ivanti Secure Access Client before 22
cvelistv5·2026-05-22·CVSS 8.8
CVE-2026-8992 [HIGH] CWE-295 CVE-2026-8992: An improper certificate validation vulnerability in Ivanti Secure Access Client before 22
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
VulDB
Ivanti Secure Access Client up to 22.8R5 certificate validation
vuldb·2026-05-22
CVE-2026-8992 [CRITICAL] Ivanti Secure Access Client up to 22.8R5 certificate validation
A vulnerability has been found in Ivanti Secure Access Client up to 22.8R5 and classified as problematic. The impacted element is an unknown function. The manipulation leads to improper certificate validation.
This vulnerability is uniquely identified as CVE-2026-8992. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
Ivanti
Ivanti Security Advisory: CVE-2026-8992
vendor_ivanti·2026-05-22·CVSS 8.8
CVE-2026-8992 [HIGH] CWE-295 Ivanti Security Advisory: CVE-2026-8992
Ivanti Security Advisory: CVE-2026-8992
An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code.
CVE IDs: CVE-2026-8992
CVSS Base Score: 8.8
Severity: HIGH
CWEs: CWE-295
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-22
Published