CVE-2026-8043 Ivanti Xtraction external file control (CVSS 9.6) plus EPM SQL-injection-to-RCE and vTM admin OS-command injection — May 2026 advisory batch, no ITW
From CTI Daily Brief — 2026-05-14 · published 2026-05-14 · view item permalink →
Ivanti's May 2026 Security Update (2026-05-12) discloses four product-line advisories. The headline issue is CVE-2026-8043 in Ivanti Xtraction prior to 2026.2 — a CWE-73 (external control of file name or path) flaw rated 9.6 on CVSS 3.1 with PR:L (low-privilege auth required, not admin) and AC:L — letting a remote authenticated attacker read arbitrary server-side files and write arbitrary HTML into the web directory. The dual primitive is the operational concern: arbitrary HTML write into the web tree is a viable stored-XSS staging point against higher-privileged Xtraction users, and combined with the file-read primitive is sufficient to chain to web-shell drop in environments where the attacker can guess or read deployment paths.
Ivanti's EPM advisory in the same cycle addresses a SQL-injection vulnerability in the EPM web console prior to 2024 SU6 that any remote authenticated user can leverage. The relevant defender note is technique class, not just CVSS: SQL injection against EPM's SQL Server back-end is the well-documented xp_cmdshell (T1059) or stored-procedure code-execution pivot ransomware initial-access brokers have weaponised against EPM and analogous endpoint-management platforms for years. The third advisory covers an OS-command injection (T1059) in the Ivanti Virtual Traffic Manager (vTM) admin interface prior to 22.9r4, allowing an admin-credentialed attacker to inject OS commands and achieve full appliance RCE. Ivanti states no in-the-wild exploitation as of 2026-05-12 for any of the four advisories; CERT-FR (CERTFR-2026-AVI-0576, 2026-05-13) and SecurityWeek (2026-05-13) corroborated the disclosure within 24 hours.
Affected and fixed versions (per the vendor batch): Ivanti Xtraction < 2026.2 → 2026.2; Ivanti EPM ≤ 2024 SU6 → 2024 SU6; Ivanti vTM < 22.9r4 → 22.9r4. Inclusion gate cleared: CVE-2026-8043 sits in the ENISA EUVD CVSS 9.0–10.0 critical band on the vendor's CVSS 3.1 score. Detection priority for SOCs that operate Ivanti: monitor EPM web-console request logs for stored-procedure invocation patterns originating from non-administrative user contexts (T1505.003 web-shell + T1059 command-line), and audit Xtraction installations for any HTML file in the web tree whose timestamp post-dates 2026-04-01 and whose content does not match a release manifest. ATT&CK: T1190 Exploit Public-Facing Application, T1505.003 Web Shell, T1059 Command and Scripting Interpreter, T1190+T1505.003 chained for the Xtraction file-write to staged web-shell route. Xtraction is commonly deployed on internal management networks where egress controls are looser than perimeter — a successful T1041 (exfiltration over C2) post-compromise can go unnoticed longer than perimeter-edge compromises.