Skip to main content

Ivanti EPMM CVE-2026-5788

| EUVDEUVD-2026-28395 HIGH
Improper Access Control (CWE-284)
2026-05-07 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 GHSA-wwfp-6c8c-qg35
7.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
ENISA EUVD
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 16:30 vuln.today
CVE Published
May 07, 2026 - 16:16 nvd
HIGH 7.0

DescriptionCVE.org

An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.

AnalysisAI

Remote unauthenticated attackers can invoke arbitrary methods in Ivanti Endpoint Manager Mobile (EPMM) via improper access control flaws, enabling authentication bypass and potential system compromise. Affects versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The CVSS vector indicates network-accessible exploitation with high attack complexity, resulting in high integrity impact and limited confidentiality/availability impact. No active exploitation confirmed via CISA KEV at time of analysis, though the authentication bypass tag and Ivanti's history of targeted attacks warrant elevated monitoring.

Technical ContextAI

Ivanti Endpoint Manager Mobile (EPMM) is an enterprise mobility management platform for securing and managing mobile devices, applications, and content. This vulnerability stems from CWE-284 (Improper Access Control), where authentication or authorization checks fail to properly restrict which methods can be invoked remotely. In web application frameworks and API endpoints, improper access control typically occurs when business logic functions are exposed without adequate authentication gates, or when authorization checks can be bypassed through parameter manipulation, path traversal, or direct object references. The affected versions span three major release branches (12.6.x, 12.7.x, 12.8.x), suggesting the vulnerability exists in shared core access control logic rather than a single component. The 'arbitrary method invocation' language indicates attackers may call internal functions directly, potentially bypassing intended application workflows and security boundaries.

RemediationAI

Upgrade Ivanti EPMM to patched versions: 12.6.1.1 or later for 12.6.x deployments, 12.7.0.1 or later for 12.7.x deployments, or 12.8.0.1 or later for 12.8.x deployments as documented in Ivanti's May 2026 Security Advisory at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs. Follow Ivanti's upgrade procedures including pre-upgrade backups and compatibility testing in non-production environments. If immediate patching is not feasible, implement network-level compensating controls: restrict EPMM administrative interfaces to trusted management networks only via firewall rules, deploy web application firewall (WAF) with strict allow-listing of known-good API endpoints and methods, and enable comprehensive logging of all API invocations for anomaly detection. Note that network restrictions may limit remote administration capabilities and require VPN access for administrators. Monitor Ivanti's advisory for additional indicators of compromise or detection guidance given the authentication bypass nature.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-5788 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy