Significance
VPN clients run with deep system access, hold persistent credential material, and are deployed across entire enterprise fleets. They sit on every endpoint that connects back to the corporate network, often as the highest-privilege agent on the host besides the OS itself. That trust is necessary. It also means a single flaw in the VPN client can become a fleet-wide local-privilege primitive.
AI-assisted vulnerability discovery is changing this. Models that read and reason about code are now spotting patterns that years of manual review missed. Anthropic’s recent zero-day research demonstrated this at scale across open source software. The same approach applies to commercial security and remote-access tooling.
Using semantic analysis combined with manual review, we identified a vulnerability in the Ivanti Secure Access Client for Windows (the same product line previously branded as Pulse Secure VPN client). It has been published as CVE-2026-7431, and the fix is included in Ivanti Secure Access Client 22.8R6. Ivanti’s advisory is available here.
CVE-2026-7431: Shared-Memory ACL Allowing Log Read/Modify
The Ivanti Secure Access Client uses two Windows shared-memory sections for its logging subsystem on Windows. Both are created by connectionmanagerservice.dll with permissive ACLs that grant Authenticated Users generic read + generic write access:
| Object | Size | SDDL |
|---|---|---|
Global\PulseSecure.LogBuffer.SharedMemory.v1 | 16,388 bytes | D:(A;OI;GRGW;;;AU)(A;OI;GA;;;SY)(A;OI;GA;;;BA) |
Global\PulseSecure.LogService.Settings.SharedMemory.v2 | 4,096 bytes | identical SDDL pattern |
The AU ACE grants GRGW. Any logged-in user can read the buffer, which contains VPN connection metadata, server hostnames, and protocol-level diagnostic strings, and write attacker-controlled bytes into it. The write side matters because a SYSTEM-context log service consumes the buffer and flushes its contents into SYSTEM-owned files. A local user writes the bytes; a SYSTEM process persists them.
Dynamic validation on Ivanti Secure Access Client 22.8R4 from a standard-user session:
Object: Global\PulseSecure.LogBuffer.SharedMemory.v1
Size: 20480 bytes, readable by std user (read confirmed)
Object: Global\PulseSecure.LogService.Settings.SharedMemory.v2
Size: 4096 bytes, readable by std user (read confirmed)
Exploitability and CVSS
Ivanti’s CNA assessment:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, 4.4 Medium
Attack vector is local, privileges required are Low (any authenticated user), and the confidentiality / integrity impacts are scored Low because the affected resource is log data rather than primary credentials. Our internal assessment scored the integrity impact higher (I:H) because the SYSTEM-side log flush makes attacker-written bytes persist as privileged file content; reasonable people can score this either way. The bug is fixed regardless.
The fix in Ivanti Secure Access Client 22.8R6 closes this vulnerability. Compatible server-side components for the fixed client are listed in Ivanti’s advisory.
Coordinated Disclosure
Reported to Ivanti through their coordinated disclosure program. Ivanti’s PSIRT triaged the submission, assigned the CVE identifier under the Ivanti CNA, and shipped the fix in the next release cycle.
No exploitation techniques are included in this post. Reproduction details were shared privately with Ivanti and exist solely to confirm the vulnerability.
About This Research
CVE-2026-7431 is one finding from CyberDagger’s automated vulnerability research programme, which combines semantic analysis, dynamic validation, and targeted fuzzing across enterprise software and embedded systems.
We are currently in coordinated disclosure with multiple vendors across endpoint security, networking infrastructure, remote-access clients, and embedded firmware. Additional findings will be published as those processes conclude.
See the full research record → · Live pipeline dashboard →
Discovered by John Rodriguez, CyberDagger LLC. All research performed on legally obtained software under coordinated disclosure with standard timelines.