Ivanti EPMM: Update patches already exploited vulnerabilities

Multiple security vulnerabilities exist in Ivanti's Endpoint Manager Mobile (EPMM), one of which is already being exploited on the internet. Updated software patches the security holes. Admins should act quickly.

In the update announcement for Ivanti's EPMM, the company's developers state that they are aware of the exploitation of one of the vulnerabilities by some customers; the US cybersecurity agency CISA has also already added the vulnerability to its Known Exploited Vulnerabilities catalog. However, attackers require admin rights for successful attacks. Ivanti recommends checking accounts with admin rights beforehand and rotating credentials if necessary. The other four vulnerabilities have not yet been exploited.

In total, there are five security holes. The already exploited vulnerability is based on insufficient input validation; however, Ivanti provides no further details that would narrow down which component contains the error or how it is exploitable (CVE-2026-6973, CVSS 7.2, risk “high”).

Controversial Risk

The severity of the other vulnerabilities is partly controversial, such as insufficient access control, which allows attackers to call arbitrary methods without prior authentication (CVE-2026-5788). NVD analysts classify this as “critical” with a CVSS score of 9.8, but Ivanti is more relaxed with CVSS 7.0, meaning a “high” risk. Insufficient certificate validation allows attackers from the network without authentication to impersonate registered Sentry hosts and obtain valid CA-signed client certificates (CVE-2026-5787, CVSS according to NVD 9.1, risk “critical,” according to Ivanti CVSS 8.9, “high”).

Another insufficient certificate validation allows attackers from the network without prior authentication to enroll devices that belong to a limited list of unenrolled devices, which can lead to information leakage about the EPMM appliance (CVE-2026-7821, NVD: CVSS 9.1, risk “critical”; Ivanti: CVSS 7.4, “high”). Here, Ivanti specifies in the update announcement that customers who have not configured and do not use Apple device enrollment are not affected. The last fixed vulnerability is based on insufficient access controls, through which authenticated attackers from the network can gain admin access (CVE-2026-5786. CVSS 8.8, risk “high”).

Ivanti EPMM: Updated Software

Ivanti is closing the vulnerabilities with versions Ivanti Endpoint Manager Mobile 12.6.1.1, 12.7.0.1, and 12.8.0.1 or newer. The manufacturer links the downloads in the update announcement.

Security vulnerabilities in Ivanti's EPMM are repeatedly targeted by malicious actors. In February, the Federal Office for Information Security (BSI) warned of widespread exploitation of vulnerabilities in the management software.

(dmk)