Do Son 
Ivanti has issued an urgent security update for its Xtraction platform to address a critical vulnerability. Carrying a CVSS score of 9.6, this flaw opens the door to severe data exposure and malicious client-side attacks.
Tracked officially as CVE-2026-8043, this vulnerability is rooted in the “external control of a file name” within the Ivanti Xtraction application. Associated with CWE-22 and CWE-73, the flaw essentially gives bad actors the ability to bypass standard file and directory restrictions.
To exploit this, an attacker must be remotely authenticated. Once inside, the vulnerability grants them a dangerous dual-capability.
- The attacker can navigate the system to read highly sensitive internal files, leading to major information disclosure.
- The attacker can also write arbitrary HTML files directly into a web directory. This effectively turns your own server into a weapon, setting the stage for client-side attacks against unsuspecting users navigating the platform.
The vulnerability impacts legacy and current deployments that have not applied the latest security patch. At the time of the disclosure, the company stated that they “are not aware of any customers being exploited by this vulnerability”.
However, with a CVSS score of 9.6, the clock is ticking. Once a patch is public, threat actors historically move fast to reverse-engineer the fix and target unpatched systems.
The official fix is already live. Customers can permanently resolve this vulnerability by immediately upgrading their systems.
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
| Ivanti Xtraction | 2026.1 and prior | 2026.2 | Download Available in ILS |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
