CVE-2026-8110 Overview
CVE-2026-8110 is a local privilege escalation vulnerability in the agent component of Ivanti Endpoint Manager. The flaw stems from incorrect permissions assignment ([CWE-732]) on resources managed by the agent. A local authenticated attacker can abuse the weak permissions to elevate privileges on an affected host. The issue affects all Ivanti Endpoint Manager 2024 releases prior to SU6, including SU1 through SU5 and associated security releases. Ivanti addressed the vulnerability in the May 2026 security release.
Critical Impact
A local authenticated user can escalate to higher privileges on systems running the Ivanti Endpoint Manager agent, gaining full confidentiality, integrity, and availability impact on the endpoint.
Affected Products
- Ivanti Endpoint Manager 2024 (base release through SU5)
- Ivanti Endpoint Manager 2024 SU3 Security Release 1 and SU4 Security Release 1
- All Ivanti Endpoint Manager agent versions prior to 2024 SU6
Discovery Timeline
- 2026-05-12 - CVE-2026-8110 published to the National Vulnerability Database
- 2026-05-12 - Ivanti publishes the May 2026 Endpoint Manager security advisory
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-8110
Vulnerability Analysis
The vulnerability is an Insecure Permissions issue ([CWE-732]) inside the Ivanti Endpoint Manager (EPM) agent. The agent runs with elevated privileges to perform software distribution, patch management, and remote control operations on managed endpoints. When the agent assigns access rights to files, directories, registry keys, or named objects, it grants excessive permissions to low-privileged local users. This permission misconfiguration creates a path between the unprivileged user context and the privileged agent context.
The CVSS vector indicates the attacker must be local and authenticated with low privileges, requires no user interaction, and can achieve high impact across confidentiality, integrity, and availability. The EPSS score of 0.023% reflects the absence of public exploit code at the time of disclosure.
Root Cause
The agent assigns overly permissive Access Control Lists (ACLs) to resources that are subsequently consumed or executed by a privileged process. Examples of CWE-732 patterns in management agents typically include writable service binaries, writable installation directories within Program Files, modifiable scheduled task definitions, or weak DACLs on named pipes used for inter-process communication. Ivanti's advisory confirms the flaw resides in the agent itself rather than the EPM core server.
Attack Vector
An attacker who already has interactive or remote shell access to a managed endpoint as a standard user identifies a resource owned or invoked by the EPM agent service. The attacker replaces or modifies that resource, then triggers the privileged agent to consume the attacker-controlled content. Execution under the agent's service account, typically SYSTEM, yields full local privilege escalation. The attack does not require network access, social engineering, or any additional vulnerability chain.
No public proof-of-concept code is available. Consult the Ivanti Security Advisory for vendor-specific technical context.
Detection Methods for CVE-2026-8110
Indicators of Compromise
- Unexpected modification of files or directories under the Ivanti EPM agent installation path by non-administrative users.
- Creation of new processes by the EPM agent service that spawn from unusual paths or with command lines referencing user-writable locations.
- New service binaries, DLLs, or scheduled tasks appearing in EPM-managed directories outside of legitimate patch cycles.
Detection Strategies
- Audit ACLs on the EPM agent installation directory and service binaries; flag any entries granting write or modify rights to Users, Authenticated Users, or Everyone.
- Monitor child processes of the EPM agent service running as SYSTEM and correlate them against an allowlist of expected executables.
- Hunt for token elevation events (Windows Event ID 4672) tied to user sessions that previously interacted with EPM agent files.
Monitoring Recommendations
- Enable file integrity monitoring on the full EPM agent installation tree and configuration directories.
- Forward Windows Security and Sysmon process-creation events to a centralized log platform for cross-host correlation.
- Track agent service restarts and configuration reloads that occur outside of scheduled maintenance windows.
How to Mitigate CVE-2026-8110
Immediate Actions Required
- Upgrade all Ivanti Endpoint Manager agents to version 2024 SU6 or later as published in the May 2026 security release.
- Inventory every managed endpoint running the EPM agent and confirm patched build numbers after deployment.
- Restrict interactive logon and remote shell access on EPM-managed systems to reduce the local authenticated attack surface.
Patch Information
Ivanti released the fix in Ivanti Endpoint Manager 2024 SU6. Apply the update on the EPM core server and roll the updated agent to all managed endpoints. Patch deployment guidance and download links are available in the Ivanti Security Advisory - Endpoint Manager May 2026.
Workarounds
- No vendor-supplied workaround exists. Patching to 2024 SU6 is the required remediation.
- As a compensating control, manually tighten ACLs on the EPM agent installation directory to remove write permissions for non-administrative principals until the patch is deployed.
- Enforce least-privilege on managed endpoints and remove standing local administrator rights from user accounts that do not require them.
# Example: audit ACLs on the Ivanti EPM agent directory (Windows PowerShell)
Get-Acl 'C:\Program Files (x86)\LANDesk\LDClient' |
Select-Object -ExpandProperty Access |
Where-Object { $_.IdentityReference -match 'Users|Everyone|Authenticated' }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
