CVE-2026-7821
published 2026-05-07CVE-2026-7821: Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.51%
39.5th percentile
Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | < 12.6.1.1 | 12.6.1.1 |
| ivanti | endpoint_manager_mobile | — | — |
| ivanti | endpoint_manager_mobile | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target product is Ivanti EPMM (Enterprise Mobility Management). Monitor for unauthorized or unexpected device enrollment attempts, particularly from unauthenticated remote sources, which may indicate exploitation of improper certificate validation. ↗
- →Alert on information disclosure events from the EPMM appliance following anomalous device enrollment, as successful exploitation leads to appliance information disclosure and integrity impact on enrolled device identity. ↗
- ·Vulnerability affects Ivanti EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ensure patched versions are deployed; unpatched appliances are exposed to unauthenticated remote exploitation. ↗
- ·Root cause is CWE-295 (Improper Certificate Validation). Review and enforce strict certificate validation configurations on EPMM device enrollment endpoints to mitigate bypass risk. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pr5j-p9p7-3c46: Improper certificate validation in Ivanti EPMM before versions 12
ghsa_unreviewed·2026-05-07
CVE-2026-7821 [HIGH] CWE-295 GHSA-pr5j-p9p7-3c46: Improper certificate validation in Ivanti EPMM before versions 12
Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.
VulDB
Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1 certificate validation
vuldb·2026-05-07·CVSS 9.1
CVE-2026-7821 [CRITICAL] Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1 certificate validation
A vulnerability was found in Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1. It has been rated as critical. This issue affects some unknown processing. Performing a manipulation results in improper certificate validation.
This vulnerability was named CVE-2026-7821. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
Ivanti
Ivanti Security Advisory: CVE-2026-7821
vendor_ivanti·2026-05-07·CVSS 9.1
CVE-2026-7821 [CRITICAL] CWE-295 Ivanti Security Advisory: CVE-2026-7821
Ivanti Security Advisory: CVE-2026-7821
Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity.
CVE IDs: CVE-2026-7821
CVSS Base Score: 7.4
Severity: HIGH
CWEs: CWE-295
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Ivanti warns of new EPMM flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-05-07·CVSS 8.8
CVE-2026-6973 [HIGH] Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Sergiu Gatlan
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin au
Hackernews
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
blogs_hackernews·2026-05-07·CVSS 9.8
CVE-2026-6973 [CRITICAL] Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful explo
2026-05-07
Published