Skip to main content

Ivanti EPMM CVE-2026-5787

| EUVDEUVD-2026-28394 HIGH
Improper Certificate Validation (CWE-295)
2026-05-07 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 GHSA-68p7-5fp8-cwwg
8.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
ENISA EUVD
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 16:30 vuln.today
CVE Published
May 07, 2026 - 16:16 nvd
HIGH 8.9

DescriptionCVE.org

An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

AnalysisAI

Certificate validation bypass in Ivanti Endpoint Manager Mobile (EPMM) allows remote unauthenticated attackers to impersonate registered Sentry hosts and fraudulently obtain CA-signed client certificates. Affects all versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. High-severity network attack (CVSS 8.9) with changed scope indicating potential pivot to additional systems. No active exploitation confirmed in CISA KEV at time of analysis, but Ivanti products are frequent targets requiring immediate patching priority.

Technical ContextAI

This vulnerability exploits CWE-295 (Improper Certificate Validation) in Ivanti EPMM's certificate authority infrastructure. EPMM uses Sentry components as on-premises gateways that mediate mobile device connections to internal enterprise resources. The Sentry architecture relies on mutual TLS authentication with CA-signed client certificates to establish trust. The improper validation flaw allows attackers to bypass certificate checks during Sentry registration or authentication, enabling them to present themselves as legitimate Sentry hosts. Once accepted, attackers receive valid client certificates signed by the EPMM certificate authority, granting cryptographic credentials that can authenticate to backend systems. This fundamentally breaks the PKI trust model that secures EPMM's mobile device management infrastructure.

RemediationAI

Upgrade immediately to Ivanti EPMM version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on your release branch as detailed in Ivanti's May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs). No workarounds are documented by the vendor. If patching requires extended maintenance windows, implement compensating controls: restrict network access to EPMM Sentry registration endpoints via firewall rules allowing only known legitimate Sentry IP addresses (requires maintaining accurate IP inventory and breaks auto-enrollment of new Sentry hosts); enable enhanced logging for all certificate issuance events and monitor for anomalous Sentry registrations from unexpected network locations (detection-only, does not prevent exploitation); review all recently issued client certificates and revoke any associated with unrecognized Sentry hostnames or IP addresses (post-compromise mitigation). These mitigations significantly impact operational flexibility and provide incomplete protection - prioritize patching over extended use of workarounds.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-5787 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy