Ivanti Endpoint Manager Privilege Escalation (CVE-2026-8110)
The National Vulnerability Database has detailed CVE-2026-8110, a high-severity privilege escalation vulnerability affecting Ivanti Endpoint Manager agents. This flaw, rated 7.8 CVSSv3.1, stems from incorrect permissions assignment within the agent. Specifically, versions prior to 2024 SU6 are vulnerable.
An authenticated local attacker can exploit this weakness to escalate their privileges. This isn’t a remote attack, but once an adversary has a foothold on an endpoint, this vulnerability provides a clear path to elevated access, moving them closer to full system control or lateral movement. It’s a critical post-exploitation step for many attack chains.
Defenders must prioritize patching Ivanti Endpoint Manager agents to version 2024 SU6 or newer. This isn’t optional; it closes a significant avenue for attackers to deepen their presence on compromised systems. Given the widespread use of Ivanti products for endpoint management, this vulnerability presents a substantial risk for organizations that fail to update promptly.
What This Means For You
- If your organization uses Ivanti Endpoint Manager, you must identify all agents running versions prior to 2024 SU6 and patch them immediately. This closes a critical privilege escalation path that an attacker with local access would undoubtedly exploit.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Privilege Escalation via Ivanti Endpoint Manager Agent - CVE-2026-8110
title: Privilege Escalation via Ivanti Endpoint Manager Agent - CVE-2026-8110
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
Detects the execution of the Ivanti Endpoint Manager agent (iagent.exe) spawned by a command shell or PowerShell, which is indicative of a local authenticated attacker attempting to exploit CVE-2026-8110 for privilege escalation by leveraging incorrect permissions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8110/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'Ivanti\Endpoint Manager\iagent.exe'
ParentImage|contains:
- 'cmd.exe'
- 'powershell.exe'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8110 | Privilege Escalation | Ivanti Endpoint Manager agent before version 2024 SU6 |
| CVE-2026-8110 | Privilege Escalation | Incorrect permissions assignment in Ivanti Endpoint Manager agent |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 12, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Ivanti Endpoint Manager RCE via SQL Injection (CVE-2026-8111)
CVE-2026-8111 — SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti
CVE-2026-8109 — An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.
Ivanti Virtual Traffic Manager RCE via OS Command Injection
CVE-2026-8051 — OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code...