Ivanti Secure Access Client local privilege escalation

cve · CVE-2026-8992

Coverage timeline

first 2026-05-30 → last 2026-05-30

Briefs

1 distinct

Sources cited

15 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-05-30CTI Daily Brief — 2026-05-30
updatesNCSC.ch updated May advisory; CVSS 7.8; patched 2026-05-12+

Where this entity is cited

updates1

Source distribution

cert.ssi.gouv.fr3 (12%)
helpnetsecurity.com3 (12%)
security-hub.ncsc.admin.ch2 (8%)
ivanti.com2 (8%)
nvd.nist.gov2 (8%)
securityweek.com2 (8%)
thehackernews.com2 (8%)
bleepingcomputer.com1 (4%)
other7 (29%)

Related entities

BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
incidentincident:bka-crimenetwork-takedown-2026×1
Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (24)

Items in briefs about Ivanti Secure Access Client local privilege escalation (1)

UPDATE: Ivanti Secure Access Client — NCSC.ch adds CVE-2026-8992 (local privilege escalation, CVSS 7.8) to May advisory

From CTI Daily Brief — 2026-05-30 · published 2026-05-30 · view item permalink →

UPDATE (originally covered 2026-05-08): NCSC Switzerland updated its Ivanti May 2026 advisory on 29 May 2026, adding CVE-2026-8992, a local privilege escalation in the Ivanti Secure Access Client (NCSC Switzerland Security Hub, 2026-05-29). CVSS 3.1 = 7.8 HIGH. A locally-authenticated attacker on a managed endpoint running the Ivanti SAC client can escalate from a standard Windows user session to local admin. Ivanti patched CVE-2026-8992 in all SAC client versions released on or after 12 May 2026. This is secondary to the actively-exploited CVE-2026-6973 (Ivanti EPMM admin-authenticated RCE, CISA KEV) which remains the highest-severity Ivanti item. Detection: Windows Event IDs 4672 and 4673 (special privilege assignment) correlated with Ivanti SAC process lineage (ivanti-vpn.exe, Ivanti Secure Access Client.exe). Hardening: update SAC client to any release from 12 May 2026 or later via EPMM-managed software inventory.