Ivanti Xtraction Critical Vulnerability Allows Remote File Manipulation
The National Vulnerability Database has disclosed CVE-2026-8043, a critical vulnerability in Ivanti Xtraction versions prior to 2026.2. This flaw, rated 9.6 on the CVSS scale, stems from external control of a file name (CWE-73).
This vulnerability allows a remote authenticated attacker to manipulate file names. Specifically, it enables the reading of sensitive files and the writing of arbitrary HTML files to a web directory. The implications are severe: information disclosure and potential client-side attacks, which can lead to further compromise within an organization.
Attackers can leverage this to exfiltrate critical data or inject malicious scripts, transforming the Xtraction instance into a launchpad for broader network intrusions. Defenders need to recognize that ‘authenticated’ does not mean ‘safe’—any compromised user credential could be enough to kick off a chain of devastating events.
What This Means For You
- If your organization uses Ivanti Xtraction, you need to patch immediately to version 2026.2 or later. This isn't theoretical; a CVSS 9.6 means active exploitation could lead to critical data loss and widespread client-side compromise. Don't wait for an incident.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8043 - Ivanti Xtraction Unauthenticated File Write via Web Directory
title: CVE-2026-8043 - Ivanti Xtraction Unauthenticated File Write via Web Directory
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-8043 in Ivanti Xtraction. This rule specifically looks for POST requests to the '/xtraction/api/rest/data/report/export' endpoint with parameters indicative of file manipulation, such as 'reportName', 'exportFormat', and 'filePath'. Successful exploitation allows an attacker to write arbitrary HTML files to a web directory, potentially leading to client-side attacks.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8043/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/xtraction/api/rest/data/report/export'
cs-method:
- 'POST'
sc-status:
- '200'
selection_exploit_param:
cs-uri-query|contains:
- 'reportName='
- 'exportFormat='
- 'filePath='
condition: selection AND selection_exploit_param
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8043 | Information Disclosure | Ivanti Xtraction before version 2026.2 |
| CVE-2026-8043 | Code Injection | Ivanti Xtraction before version 2026.2 - write arbitrary HTML files to a web directory |
| CVE-2026-8043 | Path Traversal | Ivanti Xtraction before version 2026.2 - external control of a file name |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)
CVE-2026-8111 — SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)
CVE-2026-8110 — Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.