CVE-2026-45172

Vulnerability

CVE-2026-45172 is caused by incomplete input validation in Idira Privileged Session Manager for SSH (PSMP), impacting versions prior to 15.0.2, 14.6.3, 14.2.5, and 14.0.6 [1][2][3][4]. The vulnerability resides in the session management component and is reachable when an attacker has valid low-privilege credentials to the PSMP host.

Exploitation

An attacker must first authenticate to the PSMP host with low-privileged credentials. No additional privileges or user interaction beyond normal session initiation are required. By crafting malicious input through the session manager's interface, the attacker can trigger the incomplete validation code path and execute arbitrary commands.

Impact

Successful exploitation allows the attacker to execute arbitrary commands on the PSMP host. This leads to full compromise of the confidentiality, integrity, and availability of the host system, potentially granting the attacker the ability to pivot to other managed assets.

Mitigation

CyberArk released fixed versions: 15.0.2 (build 15.0.2.25), 14.6.3 (build 14.6.3.36), 14.2.5, and 14.0.6 on May 13, 2026 [1][2][4]. No workarounds are documented; upgrading to the latest available version is the recommended course of action. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.