CVE-2026-8109: Ivanti Endpoint Manager Information Leak

CVE-2026-8109 Overview

CVE-2026-8109 affects the Core Server component of Ivanti Endpoint Manager (EPM) prior to version 2024 SU6. The vulnerability stems from an exposed dangerous method [CWE-749] that authenticated remote attackers can invoke to leak access credentials. An attacker with valid low-privilege credentials on the network can call the exposed method and retrieve sensitive authentication material from the Core Server. Ivanti addressed the issue in the May 2026 security advisory cycle.

Critical Impact

A remote authenticated attacker can extract access credentials from the Ivanti EPM Core Server, enabling lateral movement and unauthorized access to managed endpoints and connected systems.

Affected Products

• Ivanti Endpoint Manager 2024 (base release)
• Ivanti Endpoint Manager 2024 SU1 through SU5 (including SU3 Security Release 1 and SU4 Security Release 1)
• All Ivanti Endpoint Manager versions prior to 2024 SU6

Discovery Timeline

• 2026-05-12 - CVE-2026-8109 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-8109

Vulnerability Analysis

The vulnerability resides in the Core Server component of Ivanti Endpoint Manager, the central management service that coordinates agent communication, policy distribution, and software deployment across managed endpoints. The Core Server exposes a method that should be restricted to internal or privileged callers but is reachable over the network by any authenticated user.

When an authenticated attacker invokes this method, the Core Server returns access credentials stored or processed by the component. These credentials may include service account passwords, agent communication tokens, or integration credentials used by EPM to connect with databases, directory services, or remote endpoints. The disclosure compromises confidentiality without altering integrity or availability on the affected host.

The weakness is classified as Exposed Dangerous Method or Function [CWE-749]. The Common Weakness Enumeration category covers cases where a class, module, or service exposes functionality that should be access-restricted but is not.

Root Cause

The Core Server fails to enforce proper authorization on a method that returns credential data. Authentication alone is treated as sufficient, with no additional role check, capability check, or caller validation gating the sensitive operation. Any authenticated principal can therefore reach functionality intended for privileged consumers.

Attack Vector

Exploitation requires network access to the Core Server and a valid authenticated session with low privileges. The attacker sends a crafted request to the exposed method endpoint and parses credentials from the response. No user interaction is required, and the attack complexity is low. Public proof-of-concept code is not currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Technical specifics for the exposed method signature are not disclosed in the Ivanti advisory. Refer to the Ivanti Security Advisory for vendor-supplied details.

Detection Methods for CVE-2026-8109

Indicators of Compromise

• Unexpected authenticated requests to Core Server management endpoints originating from low-privilege user accounts or non-administrative workstations.
• Anomalous outbound use of EPM service account credentials shortly after Core Server access, suggesting credential reuse following extraction.
• Authentication events for EPM-managed service accounts from hosts that do not normally interact with those identities.

Detection Strategies

• Audit Core Server access logs for authenticated calls to administrative or credential-related methods made by accounts without administrative roles.
• Correlate EPM authentication telemetry with subsequent use of recovered service accounts across Active Directory, SQL Server, and remote agents.
• Baseline normal API and RPC call patterns to the Core Server and alert on deviations in caller identity, request volume, or method invocation frequency.

Monitoring Recommendations

• Forward Ivanti EPM Core Server logs and Windows Security events to a centralized analytics platform for correlation with endpoint and identity telemetry.
• Monitor service account logon patterns for credential reuse from unexpected source hosts following EPM access.
• Track configuration and credential read operations on the Core Server database and flag access by non-administrative principals.

How to Mitigate CVE-2026-8109

Immediate Actions Required

• Upgrade Ivanti Endpoint Manager to version 2024 SU6 or later on all Core Servers as the primary remediation.
• Rotate all service accounts, integration credentials, and agent secrets managed by or stored on the Core Server after patching.
• Restrict Core Server administrative interfaces to dedicated management networks and review the list of accounts authorized to authenticate to EPM.

Patch Information

Ivanti released the fix in Ivanti Endpoint Manager 2024 SU6. Apply the update following the guidance in the Ivanti Security Advisory - May 2026. Verify the installed version after upgrade and confirm that Core Server services restart cleanly.

Workarounds

• Limit network reachability of the Core Server to trusted administrative hosts using firewall rules or network segmentation.
• Reduce the number of EPM accounts and enforce least privilege so fewer principals can authenticate to the Core Server pending patch deployment.
• Increase audit logging verbosity on the Core Server and review logs frequently for unexpected authenticated method invocations until SU6 is applied.