Skip to main content

Ivanti EPMM EUVDEUVD-2026-28396

| CVE-2026-6973 HIGH
Improper Input Validation (CWE-20)
2026-05-07 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 GHSA-36fg-ffjj-h5p6
7.2
CVSS 3.1 · Vendor: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
Share

Severity by source

Vendor (3c1d8aa1-5a33-4ea4-8992-aadd6440af75) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
CRITICAL
qualitative

Primary rating from Vendor (3c1d8aa1-5a33-4ea4-8992-aadd6440af75).

CVSS VectorVendor: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Added to CISA KEV
May 07, 2026 - 16:33 CISA
Analysis Generated
May 07, 2026 - 16:30 vuln.today
CVE Published
May 07, 2026 - 16:16 nvd
HIGH 7.2

DescriptionCVE.org

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

AnalysisAI

Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis.

Technical ContextAI

The vulnerability stems from improper input validation (CWE-20) in Ivanti Endpoint Manager Mobile, an enterprise mobility management platform. Input validation failures occur when applications fail to properly sanitize, verify, or restrict user-supplied data before processing. In administrative interfaces, this often manifests through command injection, template injection, or deserialization flaws where malicious payloads bypass security checks. The network attack vector (AV:N) indicates the vulnerable functionality is accessible over network protocols, likely through the EPMM administrative web interface or API endpoints. The affected versions span the 12.6.x, 12.7.x, and 12.8.x branches prior to their respective patch releases, suggesting the vulnerability was introduced in the 12.6 codebase and persisted through subsequent major versions.

RemediationAI

Upgrade Ivanti EPMM to version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on current deployment branch, as documented in the May 2026 Security Advisory (https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US). Organizations should prioritize patching internet-facing EPMM instances and those with broader administrative access. Until patching is complete, implement network-level restrictions limiting EPMM administrative interface access to trusted IP ranges using firewall rules or VPN requirements, accepting the trade-off of reduced administrative convenience. Enforce multi-factor authentication for all EPMM administrator accounts to raise the bar for credential compromise. Review EPMM administrator account logs for suspicious authentication patterns or unusual administrative actions that could indicate exploitation attempts. These compensating controls do not eliminate risk but reduce attack surface during the patching window.

More in Ivanti

View all
CVE-2024-7593 CRITICAL POC
9.8 Aug 13

Authentication bypass in Ivanti Virtual Traffic Manager (vTM) admin panel allows remote unauthenticated attackers to gai

CVE-2024-13159 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to l

CVE-2024-13160 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a second absolute path traversal vulnerability for unauthenticated information disclosu

CVE-2024-13161 CRITICAL POC
9.8 Jan 14

Ivanti Endpoint Manager contains a third absolute path traversal vulnerability for unauthenticated information disclosur

CVE-2025-0282 CRITICAL POC
9.0 Jan 08

Ivanti Connect Secure, Policy Secure, and Neurons for ZTA contain a stack-based buffer overflow allowing unauthenticated

CVE-2025-4427 MEDIUM POC
5.3 May 13

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to a

CVE-2026-1281 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that al

CVE-2026-1340 CRITICAL POC
9.8 Jan 29

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to a

CVE-2025-22457 CRITICAL POC
9.0 Apr 03

Ivanti Connect Secure, Policy Secure, and ZTA Gateways contain a stack-based buffer overflow enabling unauthenticated re

CVE-2025-4428 HIGH POC
7.2 May 13

Ivanti Endpoint Manager Mobile (EPMM) contains an authenticated code injection in the API component, allowing authentica

CVE-2026-1603 HIGH POC
8.6 Feb 10

Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthen

CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

Share

EUVD-2026-28396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy