Summary: Security researchers have disclosed a new, critical authentication bypass vulnerability (CVE-2026-1920) affecting the latest versions of Ivanti Connect Secure. Unlike previous flaws, this zero-day allows unauthenticated attackers to bypass MFA and execute arbitrary commands on the VPN gateway. Active exploitation has been observed targeting the energy and defense sectors in the Middle East.
Business Impact: P1 Critical. For organizations relying on Ivanti for remote access, the perimeter is effectively wide open. Successful exploitation grants attackers “System” privileges, allowing them to harvest credentials, intercept traffic, and pivot internally without leaving standard authentication logs.
Why It Happened: A flaw in the SAML assertion handling logic allowed attackers to forge valid session tokens. This appears to be a regression introduced in the late-2025 stability patches.
Recommended Executive Action: Immediate Action: Apply the emergency mitigation XML file provided by Ivanti today. If the patch is not yet available for your specific version, consider taking the VPN interface offline over the weekend until remediation is confirmed.
Hashtags: #Ivanti #ZeroDay #VPN #AuthenticationBypass #CVE20261920 #InfrastructureSecurity