Skip to main content

Ivanti EPMM CVE-2026-7821

| EUVDEUVD-2026-28397 HIGH
Improper Certificate Validation (CWE-295)
2026-05-07 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 GHSA-pr5j-p9p7-3c46
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
ENISA EUVD
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 16:31 vuln.today
CVE Published
May 07, 2026 - 16:16 nvd
HIGH 7.4

DescriptionCVE.org

Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.

AnalysisAI

Improper certificate validation in Ivanti Endpoint Manager Mobile (EPMM) enables remote unauthenticated attackers to enroll restricted devices without authorization, exposing appliance configuration details and compromising enrolled device identity integrity. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. CVSS 7.4 with high attack complexity suggests exploitation requires specific timing or conditions. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis, though Ivanti products have been frequent targets of nation-state actors in recent years.

Technical ContextAI

Ivanti Endpoint Manager Mobile (formerly MobileIron) manages enterprise mobile device enrollment and policy enforcement. The vulnerability stems from CWE-295 (Improper Certificate Validation), where the EPMM server fails to properly validate certificates during device enrollment processes. This certificate validation failure allows attackers to bypass enrollment restrictions intended to prevent unauthorized devices from registering with the management platform. The flaw affects the enrollment API endpoints that authenticate new devices attempting to join the managed fleet. Versions 12.6.x, 12.7.x, and 12.8.x lines are vulnerable, with patches released as point releases (.1) indicating targeted security fixes rather than feature updates.

RemediationAI

Upgrade to Ivanti EPMM version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on your current major version line, as documented in the May 2026 Security Advisory at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs. Organizations should prioritize patching internet-facing EPMM instances first. As compensating controls until patching completes, restrict network access to EPMM enrollment endpoints to known corporate IP ranges or VPN gateways using firewall rules, though this may impact legitimate remote enrollment scenarios for traveling employees. Monitor enrollment logs for unexpected device registrations, particularly devices appearing in restricted categories or with unusual certificate chains. Implement multi-factor approval workflows for new device enrollments if supported by your EPMM version, adding human verification as a secondary control layer. Review recently enrolled devices (past 30-90 days) for anomalies that might indicate historical exploitation. Note that network restrictions may conflict with BYOD or remote worker enrollment use cases and require policy adjustments.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

CVE-2026-7821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy