Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionCVE.org
An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
AnalysisAI
Certificate validation bypass in Ivanti Endpoint Manager Mobile (EPMM) allows remote unauthenticated attackers to impersonate registered Sentry hosts and fraudulently obtain CA-signed client certificates. Affects all versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. High-severity network attack (CVSS 8.9) with changed scope indicating potential pivot to additional systems. No active exploitation confirmed in CISA KEV at time of analysis, but Ivanti products are frequent targets requiring immediate patching priority.
Technical ContextAI
This vulnerability exploits CWE-295 (Improper Certificate Validation) in Ivanti EPMM's certificate authority infrastructure. EPMM uses Sentry components as on-premises gateways that mediate mobile device connections to internal enterprise resources. The Sentry architecture relies on mutual TLS authentication with CA-signed client certificates to establish trust. The improper validation flaw allows attackers to bypass certificate checks during Sentry registration or authentication, enabling them to present themselves as legitimate Sentry hosts. Once accepted, attackers receive valid client certificates signed by the EPMM certificate authority, granting cryptographic credentials that can authenticate to backend systems. This fundamentally breaks the PKI trust model that secures EPMM's mobile device management infrastructure.
RemediationAI
Upgrade immediately to Ivanti EPMM version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on your release branch as detailed in Ivanti's May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs). No workarounds are documented by the vendor. If patching requires extended maintenance windows, implement compensating controls: restrict network access to EPMM Sentry registration endpoints via firewall rules allowing only known legitimate Sentry IP addresses (requires maintaining accurate IP inventory and breaks auto-enrollment of new Sentry hosts); enable enhanced logging for all certificate issuance events and monitor for anomalous Sentry registrations from unexpected network locations (detection-only, does not prevent exploitation); review all recently issued client certificates and revoke any associated with unrecognized Sentry hostnames or IP addresses (post-compromise mitigation). These mitigations significantly impact operational flexibility and provide incomplete protection - prioritize patching over extended use of workarounds.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28394
GHSA-68p7-5fp8-cwwg