Skip to main content

Ivanti EPMM CVE-2026-5786

| EUVDEUVD-2026-28393 HIGH
Improper Access Control (CWE-284)
2026-05-07 ivanti GHSA-hc87-4m3j-m5vx
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 16:00 vuln.today
CVE Published
May 07, 2026 - 15:18 nvd
HIGH 8.8

DescriptionCVE.org

An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.

AnalysisAI

Privilege escalation in Ivanti Endpoint Manager Mobile (EPMM) allows remote authenticated attackers with low-level credentials to gain full administrative access. Affected versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain an improper access control flaw (CWE-284) that enables credential-holding users to bypass authorization checks and assume administrative privileges. With CVSS 8.8 (High) and network-exploitable attack vector requiring only low privileges, this represents a significant risk for enterprise mobile device management environments, though EPSS data and active exploitation status are not available at time of analysis.

Technical ContextAI

Ivanti Endpoint Manager Mobile (EPMM) is an enterprise mobility management platform for securing and managing mobile devices, applications, and content across iOS, Android, and Windows endpoints. The vulnerability stems from CWE-284 (Improper Access Control), indicating inadequate enforcement of authorization boundaries between user privilege levels. The CPE identifier (cpe:2.3:a:ivanti:endpoint_manager_mobile) confirms the software application layer is affected. This class of vulnerability typically involves missing or bypassable permission checks in administrative API endpoints, web console interfaces, or configuration management functions. The network attack vector (AV:N) combined with low attack complexity (AC:L) suggests the access control failure is in a remotely accessible interface that does not require complex exploitation techniques or race conditions. Authentication is required (PR:L), meaning attackers need valid user credentials, but critically, those credentials need not have elevated privileges initially.

RemediationAI

Immediately upgrade Ivanti EPMM to patched versions: 12.6.1.1 for 12.6.x deployments, 12.7.0.1 for 12.7.x deployments, or 12.8.0.1 for 12.8.x deployments as detailed in Ivanti's May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs). If immediate patching is not feasible, implement network segmentation to restrict EPMM console access to trusted administrative networks only via firewall rules or VPN enforcement, which reduces remote attack surface but does not eliminate risk from compromised internal accounts or VPN-authenticated attackers. Review and audit all user accounts with EPMM access, immediately disable or demote accounts with unnecessary privileges, and implement mandatory multi-factor authentication (MFA) for all user tiers to raise the barrier for credential compromise. Monitor authentication logs for unusual privilege escalation activity, failed access attempts to administrative functions by low-privileged accounts, and configuration changes outside normal administrative workflows. Note that network segmentation and MFA add operational overhead and do not fix the underlying vulnerability, requiring expedited patching as the definitive control.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-5786 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy