Medium

Ivanti Endpoint Manager Core Server Exposed Dangerous Method Credential Disclosure

IdentifiersCVE-2026-8109CWE-749· Exposed Dangerous Method or Function

CVE-2026-8109 is an information disclosure vulnerability in the Core Server of Ivanti Endpoint Manager, affecting versions before 2024 SU6. The flaw is described as an exposed dangerous method in the RemoteControlAuth module. According to the provided sources, exploitation allows a remote attacker to disclose sensitive information, specifically stored or access credentials present on the server. While the vendor description characterizes the issue as requiring authentication, supporting reporting indicates the existing authentication mechanism can be bypassed, which may reduce the practical barrier to exploitation. The issue is fixed in Ivanti Endpoint Manager 2024 SU6.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows disclosure of sensitive information from the Ivanti Endpoint Manager Core Server, including stored access credentials. Leakage of these credentials can enable follow-on compromise of the Endpoint Manager environment and potentially facilitate unauthorized access to managed infrastructure or additional administrative functions, depending on credential scope.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the Ivanti Endpoint Manager Core Server and associated management interfaces to only trusted administrative networks, restrict access to the RemoteControlAuth-related functionality where feasible, enforce strong segmentation around the Core Server, monitor for anomalous access to credential-handling components, and rotate credentials that may have been exposed. However, the primary mitigation is vendor patching to 2024 SU6.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager to version 2024 SU6 or later. Ivanti states that 2024 SU6 contains the fix for CVE-2026-8109 and made the update available through ILS. Affected deployments are 2024 SU5 and earlier.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiEndpoint Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cyber security newsNews

May 12, 2026

Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager

A credential leakage vulnerability in Ivanti Endpoint Manager Core Server that allows a remote authenticated attacker to exfiltrate access credentials.

forums ivantiNews

May 12, 2026

Security Advisory Ivanti Endpoint Manager (EPM) May 2026

An information disclosure vulnerability in the Core Server of Ivanti Endpoint Manager caused by an exposed dangerous method, allowing a remote authenticated attacker to leak access credentials.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-8109

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8109

MITRE CWE · CWE-749

Exposed Dangerous Method or Function

Vendor Advisory

hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-May-2026?language=en_US