Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.
AnalysisAI
Privilege escalation in Ivanti Endpoint Manager Mobile (EPMM) allows remote authenticated attackers with low-level credentials to gain full administrative access. Affected versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain an improper access control flaw (CWE-284) that enables credential-holding users to bypass authorization checks and assume administrative privileges. With CVSS 8.8 (High) and network-exploitable attack vector requiring only low privileges, this represents a significant risk for enterprise mobile device management environments, though EPSS data and active exploitation status are not available at time of analysis.
Technical ContextAI
Ivanti Endpoint Manager Mobile (EPMM) is an enterprise mobility management platform for securing and managing mobile devices, applications, and content across iOS, Android, and Windows endpoints. The vulnerability stems from CWE-284 (Improper Access Control), indicating inadequate enforcement of authorization boundaries between user privilege levels. The CPE identifier (cpe:2.3:a:ivanti:endpoint_manager_mobile) confirms the software application layer is affected. This class of vulnerability typically involves missing or bypassable permission checks in administrative API endpoints, web console interfaces, or configuration management functions. The network attack vector (AV:N) combined with low attack complexity (AC:L) suggests the access control failure is in a remotely accessible interface that does not require complex exploitation techniques or race conditions. Authentication is required (PR:L), meaning attackers need valid user credentials, but critically, those credentials need not have elevated privileges initially.
RemediationAI
Immediately upgrade Ivanti EPMM to patched versions: 12.6.1.1 for 12.6.x deployments, 12.7.0.1 for 12.7.x deployments, or 12.8.0.1 for 12.8.x deployments as detailed in Ivanti's May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs). If immediate patching is not feasible, implement network segmentation to restrict EPMM console access to trusted administrative networks only via firewall rules or VPN enforcement, which reduces remote attack surface but does not eliminate risk from compromised internal accounts or VPN-authenticated attackers. Review and audit all user accounts with EPMM access, immediately disable or demote accounts with unnecessary privileges, and implement mandatory multi-factor authentication (MFA) for all user tiers to raise the barrier for credential compromise. Monitor authentication logs for unusual privilege escalation activity, failed access attempts to administrative functions by low-privileged accounts, and configuration changes outside normal administrative workflows. Note that network segmentation and MFA add operational overhead and do not fix the underlying vulnerability, requiring expedited patching as the definitive control.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28393
GHSA-hc87-4m3j-m5vx