An improper certificate validation vulnerability in Ivanti Secure Access Client before 22

CVE-2026-8992 is an improper certificate validation flaw in Ivanti Secure Access Client fixed in 22.8R6. The public CVE record currently identifies the affected platform as Windows, and the practical issue is classic: if the client accepts a bad or attacker-controlled certificate during a connection flow, an attacker can impersonate the trusted server path and feed the client malicious content, with the vendor saying that can end in arbitrary code execution.

The vendor's HIGH 8.8 score overstates real-world urgency for most enterprises. Yes, the technical impact is ugly *if the chain lands*, but this is still a client-side, user-interaction, trust-bypass problem that usually needs an on-path attacker, rogue infrastructure, DNS/proxy control, or a compromised delivery point. That is materially different from an unauthenticated internet-edge Ivanti appliance bug, and it sharply narrows both exposure population and automation potential.

Why this verdict

• Primary friction: requires attacker position, not just internet reachability. CVSS says AV:N, but for a certificate-validation flaw that still usually means the attacker must control network path, DNS, proxying, Wi-Fi, or another trusted channel. That is a major real-world downgrade from appliance-style pre-auth RCE.
• User-driven and workflow-dependent. The vector includes UI:R, and the client has to actually initiate a susceptible connection or delivery workflow. On 10,000 endpoints, not every installed client is equally reachable at all times.
• Low threat intelligence heat. EPSS is 0.00127, KEV is absent, no public exploitation was found, and CISA ADP enrichment says Exploitation: none and Automatable: no. That is not the profile of a drop-everything patch event.

Why not higher?

Because the chain is narrower than the vendor score suggests. A remote attacker on the general internet does not get reliable, direct reach into every Ivanti client; they need traffic influence plus a live client workflow, and modern EDR/application control can still break the final stage. Sparse public exploit detail also argues against assuming near-term mass weaponization.

Why not lower?

Because once an attacker *does* have the right position, the blast radius is a managed endpoint and the vendor is claiming arbitrary code execution, not a harmless warning bypass. In environments with large remote-user populations, hostile networks, or weak TLS interception hygiene, this is still a meaningful post-initial-access or rogue-network risk.

1. Force trusted egress paths — Pin Ivanti client traffic to known corporate DNS, proxy, and network paths where possible, and block split-tunnel exceptions that let clients resolve or reach gateways through untrusted local infrastructure. For a MEDIUM verdict there is no mitigation SLA; use this as risk reduction while you work the 365-day remediation window.
2. Harden hostile-network protections — Enable rogue-AP detection, DHCP snooping, Dynamic ARP Inspection, and wireless protections on enterprise-controlled networks, and enforce secure remote-user guidance for unmanaged Wi-Fi. This directly attacks the MITM prerequisite; again, no mitigation SLA applies here, so treat it as a control improvement rather than an emergency workaround.
3. Constrain endpoint execution — Use EDR prevention, WDAC/AppLocker, SmartScreen, and child-process controls to stop Ivanti client components from launching unapproved payloads. This is your best brake on the final execution stage if trust-bypass succeeds; keep it in place continuously and remediate the actual vulnerable version within 365 days.
4. Audit dynamic client delivery features — Review whether browser-driven installs, dynamic component downloads, or optional client-side modules are enabled and needed. Reducing those features trims the number of exploitable workflows without waiting for a crisis-level maintenance window; for MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window.

Run this on the target Windows endpoint or through your EDR/RMM as a local script. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\check-isac-cve-2026-8992.ps1; standard user rights are usually enough to read uninstall data, but local admin gives the most reliable view across all registry hives.

# check-isac-cve-2026-8992.ps1

# Detects likely vulnerable Ivanti Secure Access Client installs for CVE-2026-8992.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-InstalledEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    foreach ($p in $paths) {
        Get-ItemProperty $p | Where-Object {
            $_.DisplayName -match 'Ivanti Secure Access Client|Pulse Secure'
        } | Select-Object DisplayName, DisplayVersion, Publisher, InstallLocation
    }
}

function Test-IsPatchedString {
    param([string]$Version)
    if (-not $Version) { return $false }
    $v = $Version.Trim()
    if ($v -match '22\.8\s*R?6(\b|\.)') { return $true }
    if ($v -match '22\.8\.6(\b|\.)') { return $true }
    return $false
}

function Test-IsVulnerableString {
    param([string]$Version)
    if (-not $Version) { return $false }
    $v = $Version.Trim()

    # Explicitly vulnerable 22.8R1-R5 / 22.8.1-22.8.5 forms

    if ($v -match '22\.8\s*R?[1-5](\b|\.)') { return $true }
    if ($v -match '22\.8\.[1-5](\b|\.)') { return $true }

    # Earlier major/minor branches commonly seen in this product line

    if ($v -match '^(9\.|22\.[0-7](\.|\b)|22\.2\b|22\.3\b|22\.4\b|22\.5\b|22\.6\b|22\.7\b)') { return $true }

    return $false
}

$entries = @(Get-InstalledEntries)

if (-not $entries -or $entries.Count -eq 0) {
    Write-Output 'UNKNOWN - Ivanti Secure Access Client not found in standard uninstall locations.'
    exit 2
}

$patched = $false
$vulnerable = $false
$unknownSeen = $false

foreach ($e in $entries) {
    $name = $e.DisplayName
    $ver  = $e.DisplayVersion

    if (Test-IsPatchedString -Version $ver) {
        Write-Output ("PATCHED - {0} version {1}" -f $name, $ver)
        $patched = $true
        continue
    }

    if (Test-IsVulnerableString -Version $ver) {
        Write-Output ("VULNERABLE - {0} version {1}" -f $name, $ver)
        $vulnerable = $true
        continue
    }

    Write-Output ("UNKNOWN - {0} version {1}" -f $name, $(if ($ver) { $ver } else { '<blank>' }))
    $unknownSeen = $true
}

if ($vulnerable) { exit 1 }
if ($patched -and -not $unknownSeen) { exit 0 }
exit 2

Sources

1. NVD CVE-2026-8992
2. CIRCL Vulnerability Lookup for CVE-2026-8992
3. Ivanti advisory URL referenced by NVD/CVE
4. Ivanti Secure Access Client Supported Platforms Guide 22.8R6
5. Ivanti Secure Access Client 22.X Release Notes Overview
6. Tenable Plugin 314681 - Ivanti Secure Access Client 22.x < 22.8R6 Multiple Vulnerabilities
7. CERT-FR advisory referencing Ivanti May 2026 bulletin
8. CISA Known Exploited Vulnerabilities Catalog