Ivanti Endpoint Manager Vulnerability Exposes Stored Credentials via RemoteControlAuth Module
Ivanti has patched a vulnerability (CVE-2026-8109) in Endpoint Manager's RemoteControlAuth module that could allow remote attackers to bypass authentication and disclose stored credentials.
Ivanti has released a security update to address a vulnerability in its Endpoint Manager (EPM) product that could allow remote attackers to disclose sensitive information. The flaw, tracked as CVE-2026-8109 and reported through the Zero Day Initiative (ZDI-26-308), resides in the RemoteControlAuth module and involves an exposed dangerous method. Although authentication is required to exploit the vulnerability, the existing authentication mechanism can be bypassed, potentially leading to the disclosure of stored credentials and further compromise of affected systems.
The vulnerability carries a CVSS score of 4.9 (medium severity) with a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating that while an attacker needs high privileges, the attack can be launched remotely over the network without user interaction. The flaw was reported to Ivanti on November 25, 2025, and the coordinated public release of the advisory occurred on May 12, 2026, alongside the availability of a patch.
Ivanti Endpoint Manager is a widely used unified endpoint management solution that helps organizations manage and secure devices, including desktops, servers, and mobile devices. The RemoteControlAuth module is responsible for handling authentication for remote control sessions, making this vulnerability particularly concerning as it could allow an attacker to gain access to sensitive credentials used for remote management.
Ivanti has issued a security advisory with details on the update, which can be found on their support hub. The company recommends that all customers apply the patch as soon as possible to mitigate the risk. The advisory also credits the researcher who discovered the flaw, identified by a hash (06fe5fd2bc53027c4a3b7e395af0b850e7b8a044).
This vulnerability is part of a broader trend of security issues in endpoint management solutions, which are attractive targets for attackers due to their privileged access and centralized control. Organizations using Ivanti EPM should prioritize patching and review their remote access configurations to ensure that authentication mechanisms are properly secured.
While the CVSS score is medium, the potential for credential disclosure could lead to more severe attacks, including lateral movement and privilege escalation within the network. Ivanti's prompt response in releasing a patch within the coordinated disclosure timeline is commendable, but users should remain vigilant and monitor for any signs of exploitation.
In summary, CVE-2026-8109 is a notable vulnerability in Ivanti Endpoint Manager that underscores the importance of securing remote management interfaces. With a patch now available, affected organizations should act quickly to protect their environments.