Skip to main content

Ivanti

Vendor security scorecard – 47 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 484
47
CVEs
5
Critical
27
High
5
KEV
6
PoC
31
Unpatched C/H
2.1%
Patch Rate
4.3%
Avg EPSS

Severity Breakdown

CRITICAL
5
HIGH
27
MEDIUM
15
LOW
0

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) contains a critical code injection vulnerability (CVE-2026-1281, CVSS 9.8) that allows unauthenticated remote attackers to execute arbitrary code. With EPSS 64.8% and KEV listing, this vulnerability in the mobile device management platform threatens the security of every managed mobile device in the organization, as EPMM has the ability to push configurations, certificates, and apps to enrolled devices. CRITICAL 9.8 64.8% 199
KEV PoC
CVE-2026-1340 Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that allows unauthenticated attackers to achieve remote code execution on the mobile device management server. Compromising the MDM server provides access to all managed mobile device configurations, policies, and potentially the ability to push malicious profiles to enrolled devices. CRITICAL 9.8 50.9% 185
KEV PoC No patch
CVE-2026-1603 Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet. HIGH 8.6 43.9% 157
KEV PoC No patch
CVE-2026-10520 Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to achieve root-level command execution via OS command injection. With a maximum CVSS score of 10.0 and a network-accessible, no-interaction attack vector, this represents a critical exposure for any internet-facing Sentry appliance, though no public exploit has been identified at time of analysis. CRITICAL 10.0 0.2% 140
KEV PoC No patch
CVE-2026-6973 Remote code execution in Ivanti Endpoint Manager Mobile (EPMM) allows authenticated administrators to execute arbitrary code on the server. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 through improper input validation vulnerabilities. While requiring high-privilege administrator credentials (CVSS PR:H), the vulnerability enables complete system compromise once authenticated, with high impact to confidentiality, integrity, and availability. No public exploit or active exploitation confirmed at time of analysis. HIGH 7.2 5.0% 131
KEV PoC No patch
CVE-2026-10523 Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to create arbitrary administrative accounts and gain full administrative control of the appliance. Publicly available exploit code exists (watchTowr Labs PoC chained with CVE-2026-10520 for RCE), though it is not yet listed in CISA KEV; EPSS sits at a modest 0.31% (54th percentile) despite the critical CVSS 9.8 rating. CRITICAL 9.8 0.3% 89
PoC No patch
CVE-2026-5787 Certificate validation bypass in Ivanti Endpoint Manager Mobile (EPMM) allows remote unauthenticated attackers to impersonate registered Sentry hosts and fraudulently obtain CA-signed client certificates. Affects all versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. High-severity network attack (CVSS 8.9) with changed scope indicating potential pivot to additional systems. No active exploitation confirmed in CISA KEV at time of analysis, but Ivanti products are frequent targets requiring immediate patching priority. HIGH 8.9 0.0% 65
No patch
CVE-2026-5786 Privilege escalation in Ivanti Endpoint Manager Mobile (EPMM) allows remote authenticated attackers with low-level credentials to gain full administrative access. Affected versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain an improper access control flaw (CWE-284) that enables credential-holding users to bypass authorization checks and assume administrative privileges. With CVSS 8.8 (High) and network-exploitable attack vector requiring only low privileges, this represents a significant risk for enterprise mobile device management environments, though EPSS data and active exploitation status are not available at time of analysis. HIGH 8.8 0.4% 64
No patch
CVE-2026-7821 Improper certificate validation in Ivanti Endpoint Manager Mobile (EPMM) enables remote unauthenticated attackers to enroll restricted devices without authorization, exposing appliance configuration details and compromising enrolled device identity integrity. Affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. CVSS 7.4 with high attack complexity suggests exploitation requires specific timing or conditions. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis, though Ivanti products have been frequent targets of nation-state actors in recent years. HIGH 7.4 0.0% 57
No patch
CVE-2026-5788 Remote unauthenticated attackers can invoke arbitrary methods in Ivanti Endpoint Manager Mobile (EPMM) via improper access control flaws, enabling authentication bypass and potential system compromise. Affects versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The CVSS vector indicates network-accessible exploitation with high attack complexity, resulting in high integrity impact and limited confidentiality/availability impact. No active exploitation confirmed via CISA KEV at time of analysis, though the authentication bypass tag and Ivanti's history of targeted attacks warrant elevated monitoring. HIGH 7.0 0.2% 55
No patch
CVE-2026-8043 Path traversal in Ivanti Xtraction enables remote authenticated attackers with low-level privileges to read sensitive system files and inject arbitrary HTML into web-accessible directories, creating risks of credential theft, configuration exposure, and client-side attacks against other users. CVSS 9.6 severity driven by scope change (S:C) indicates the attacker can impact resources beyond the vulnerable component. No public exploit or CISA KEV listing identified, but vendor advisory confirms the vulnerability affects all versions prior to 2026.2. CRITICAL 9.6 0.1% 48
No patch
CVE-2025-8297 Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. HIGH 7.2 9.3% 45
No patch
CVE-2026-9614 Privilege escalation to administrative access in Ivanti Neurons for ITSM (both cloud and on-premises deployments) allows a remote authenticated attacker to bypass access controls and obtain admin-level permissions. The flaw carries a CVSS 8.8 rating with low attack complexity, and Ivanti has published a security advisory; no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. HIGH 8.8 0.4% 44
No patch
CVE-2026-8111 SQL injection in Ivanti Endpoint Manager web console enables authenticated remote attackers to execute arbitrary code on the server. Affects all versions prior to 2024 SU6. Attack requires only low-privilege authenticated access (CVSS PR:L) with low complexity (AC:L), making exploitation straightforward for any authenticated user. Ivanti has released patched version 2024 SU6 per vendor advisory dated May 2026. No CISA KEV listing or public exploit code identified at time of analysis, indicating exploitation not yet confirmed in the wild despite high severity score. HIGH 8.8 0.3% 44
No patch
CVE-2026-8992 Remote code execution in Ivanti Secure Access Client versions prior to 22.8R6 allows unauthenticated attackers to run arbitrary code on endpoints by exploiting improper TLS certificate validation, contingent on user interaction (UI:R). No public exploit identified at time of analysis, but the CVSS 8.8 rating and Ivanti's own advisory disclosure mark this as a high-priority client-side risk for organizations using the VPN client. HIGH 8.8 0.1% 44
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy