Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (3c1d8aa1-5a33-4ea4-8992-aadd6440af75).
CVSS VectorVendor: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
AnalysisAI
Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis.
Technical ContextAI
The vulnerability stems from improper input validation (CWE-20) in Ivanti Endpoint Manager Mobile, an enterprise mobility management platform. Input validation failures occur when applications fail to properly sanitize, verify, or restrict user-supplied data before processing. In administrative interfaces, this often manifests through command injection, template injection, or deserialization flaws where malicious payloads bypass security checks. The network attack vector (AV:N) indicates the vulnerable functionality is accessible over network protocols, likely through the EPMM administrative web interface or API endpoints. The affected versions span the 12.6.x, 12.7.x, and 12.8.x branches prior to their respective patch releases, suggesting the vulnerability was introduced in the 12.6 codebase and persisted through subsequent major versions.
RemediationAI
Upgrade Ivanti EPMM to version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on current deployment branch, as documented in the May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US). Organizations should prioritize patching internet-facing EPMM instances and those with broader administrative access. Until patching is complete, implement network-level restrictions limiting EPMM administrative interface access to trusted IP ranges using firewall rules or VPN requirements, accepting the trade-off of reduced administrative convenience. Enforce multi-factor authentication for all EPMM administrator accounts to raise the bar for credential compromise. Review EPMM administrator account logs for suspicious authentication patterns or unusual administrative actions that could indicate exploitation attempts. These compensating controls do not eliminate risk but reduce attack surface during the patching window.
Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai
Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l
Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu
Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur
Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated
An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a
Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a
Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re
Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28396
GHSA-36fg-ffjj-h5p6