CVE-2026-5787
published 2026-05-07CVE-2026-5787: An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate…
PriorityP261critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.69%
48.0th percentile
An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | < 12.6.1.1 | 12.6.1.1 |
| ivanti | endpoint_manager_mobile | — | — |
| ivanti | endpoint_manager_mobile | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unexpected or anomalous certificate issuance requests to the EPMM CA, particularly from hosts not previously registered as Sentry nodes, which may indicate impersonation attempts exploiting improper certificate validation. ↗
- →Alert on unauthenticated remote connections to Ivanti EPMM endpoints responsible for Sentry host registration or certificate provisioning workflows. ↗
- ·Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 are vulnerable; patch to these versions or later to remediate the improper certificate validation flaw. ↗
- ·The vulnerability is classified CWE-295 (Improper Certificate Validation), meaning the EPMM server does not sufficiently validate the identity of Sentry hosts during certificate requests, enabling impersonation by unauthenticated remote attackers. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Ivanti Endpoint Manager Mobile prior 12.6.1.1/12.7.0.1/12.8.0.1 certificate validation
vuldb·2026-05-07·CVSS 9.1
CVE-2026-5787 [CRITICAL] Ivanti Endpoint Manager Mobile prior 12.6.1.1/12.7.0.1/12.8.0.1 certificate validation
A vulnerability categorized as critical has been discovered in Ivanti Endpoint Manager Mobile. Impacted is an unknown function. Executing a manipulation can lead to improper certificate validation.
The identification of this vulnerability is CVE-2026-5787. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-68p7-5fp8-cwwg: An Improper Certificate Validation in Ivanti EPMM before versions 12
ghsa_unreviewed·2026-05-07
CVE-2026-5787 [HIGH] CWE-295 GHSA-68p7-5fp8-cwwg: An Improper Certificate Validation in Ivanti EPMM before versions 12
An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
Ivanti
Ivanti Security Advisory: CVE-2026-5787
vendor_ivanti·2026-05-07·CVSS 9.1
CVE-2026-5787 [CRITICAL] CWE-295 Ivanti Security Advisory: CVE-2026-5787
Ivanti Security Advisory: CVE-2026-5787
An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
CVE IDs: CVE-2026-5787
CVSS Base Score: 8.9
Severity: HIGH
CWEs: CWE-295
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Ivanti warns of new EPMM flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-05-07·CVSS 8.8
CVE-2026-6973 [HIGH] Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Sergiu Gatlan
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin au
Hackernews
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
blogs_hackernews·2026-05-07·CVSS 9.8
CVE-2026-6973 [CRITICAL] Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful explo
2026-05-07
Published