Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN497
_____________________________________________________________________

DATE                : 13/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Endpoint Manager Mobile
                     versions prior to 12.6.1.1, 12.7.0.1, 12.8.0.1.

=====================================================================
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
_____________________________________________________________________

May 2026 Security Advisory Ivanti Endpoint Manager Mobile (EPMM)
(Multiple CVEs)

Primary Product

Created Date
7-May-2026 14.11.48

Last Modified Date
7-May-2026 14.21.09

Summary 
Ivanti has released updates for Ivanti Endpoint Manager Mobile (EPMM)
which addresses five high severity vulnerabilities.


We are aware of a very limited number of customers exploited with
CVE-2026-6973. Successful exploitation requires Admin authentication.
If customers followed Ivanti’s recommendation in January to rotate
credentials if you were exploited with CVE-2026-1281 and
CVE-2026-1340, then your risk of exploitation from CVE-2026-6973
is significantly reduced.

We recommend customers review accounts with Admin rights, and
rotate those credentials, where necessary. 


We are not aware of any customers being exploited with
CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 or CVE-2026-7821 at
the time of disclosure. While CVE-2026-7821 is unauthenticated,
if customers have not configured and are not using
Apple Device Enrollment they are not at risk from this
vulnerability. 


Additionally, the fixed versions below also contain the fixes
for CVE-2026-1281 and CVE-2026-1340. Customers who update their
appliance to one of the resolved versions below will no longer
need to apply the RPM package provided in January 2026. 

Vulnerability Details: 

CVE Number   Description   CVSS Score (Severity)  CVSS Vector  CWE 

CVE-2026-5786
An Improper Access Control vulnerability in Ivanti EPMM before
versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote
authenticated attacker to gain administrative access. 
8.8 (High) 
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 
CWE-284 

CVE-2026-5787
An Improper Certificate Validation in Ivanti EPMM before versions
12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated
attacker to impersonate registered Sentry hosts and obtain valid
CA-signed client certificates. 
8.9 (High) 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L 
CWE-295 

CVE-2026-5788
An Improper Access Control in Ivanti EPMM before versions 12.6.1.1,
12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker
to invoke arbitrary methods 
7.0 (High) 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L 
CWE-284 
 
CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1,
12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with
administrative access to achieve remote code execution. 
7.2 (High) 
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 
CWE-20 

CVE-2026-7821
Improper certificate validation in Ivanti EPMM before versions 12.6.1.1,
12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to
enroll a device belonging to a restricted set of unenrolled devices,
leading to information disclosure about EPMM appliance and impacting
on the integrity of the newly enrolled device identity. 
7.4 (High) 
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 
CWE-295, CWE-306 

Affected Versions:
Product Name  Affected Version(s)   Resolved Version(s)
Patch Availability 

Ivanti Endpoint Manager Mobile (EPMM)  12.8.0.0 and prior 
12.6.1.1, 12.7.0.1, 12.8.0.1 
Download Portal (login required) 


See Detailed Information Below. 

 
Solution 

Customers can remediate these vulnerabilities by updating to the
latest version of Ivanti Endpoint Manager Mobile 12.6.1.1,
12.7.0.1 and 12.8.0.1 which is available at the following links
(login required): 

12.6.1.1: 
New EPMM Instance:
https://support.mobileiron.com/mi/vsp/12.6.1.1-209/mobileiron-12.6.1.1-209.iso 

Updating existing EPMM appliance:
https://support.mobileiron.com/mi/vsp/12.6.1.1-209/mobileiron-12.6.1.1-209/ 

12.7.0.1: 
New EPMM Instance:
https://support.mobileiron.com/mi/vsp/12.7.0.1-216/mobileiron-12.7.0.1-216.iso 

Updating existing EPMM appliance:
https://support.mobileiron.com/mi/vsp/12.7.0.1-216/mobileiron-12.7.0.1-216/ 

12.8.0.1: 

New EPMM Instance:
https://support.mobileiron.com/mi/vsp/12.8.0.1-217/mobileiron-12.8.0.1-217.iso 

Updating existing EPMM appliance:
https://support.mobileiron.com/mi/vsp/12.8.0.1-217/mobileiron-12.8.0.1-217/ 

It’s important for customers to know that these versions also contain the
fix for CVE-2026-1281 and CVE-2026-1340. Customers who update their
appliance to one of the resolved versions will no longer need to apply
the RPM package provided in January 2026. 

A new version of Sentry is also available. Updating Sentry is not required
as these vulnerabilities do not impact Sentry. However, if customers are
deploying a new Sentry they should use version 10.4.2, 10.5.1 or 10.6.1. 

Acknowledgements 
Ivanti would like to thank the following for reporting the relevant issues
and for working with Ivanti to help protect our customers: 

Bryan Lam (https://www.linkedin.com/in/bryy/) (CVE-2026-7821) 

Note: Ivanti is dedicated to ensuring the security and integrity of our
enterprise software products. We recognize the vital role that security
researchers, ethical hackers, and the broader security community play in
identifying and reporting vulnerabilities. Visit HERE to learn more
about our Vulnerability Disclosure Policy. 


FAQ 
Are you aware of any active exploitation of these vulnerabilities? 

We are aware of a very limited number of customers exploited with
CVE-2026-6973. Successful exploitation requires Admin authentication.
If customers followed Ivanti’s recommendation in January to rotate
credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340,
then your risk of exploitation from CVE-2026-6973 is significantly
reduced.  

We recommend customers review accounts with Admin rights, and rotate
those credentials, where necessary. 

We are not aware of any customers being exploited by CVE-2026-5786,
CVE-2026-5787, CVE-2026-5788 or CVE-2026-7821 at the time of public
disclosure. These vulnerabilities were found internally and
proactively fixed or responsibly disclosed (CVE-2026-7821).   


How can I tell if I have been compromised? 
Currently, there are not reliable atomic indicators of compromise
that could be used to provide a list of indicators of compromise. 

Will Ivanti be releasing a Technical Analysis similar to what you
released in January? 

At this time, there is not enough additional information to create
a Technical Analysis guide. Customers can use the Technical Analysis
guide from January, and our recommendation is to ensure all admin
credentials have been rotated if you were exploited with
CVE-2026-1281 and CVE-2026-1340. The most conservative approach
would be for all customers to review and rotate all admin
credentials.  Currently, there are not reliable atomic indicators
of compromise that could be used to provide a list of indicators
of compromise

Why are you disclosing other vulnerabilities along with CVE-2026-6973?
Have these vulnerabilities been exploited? 

We are not aware of any customers being exploited by CVE-2026-5786,
CVE-2026-5787, CVE-2026-5788 or CVE-2026-7821 at the time of
disclosure. While CVE-2026-7821 is unauthenticated, if customers
have not configured and are not using Apple Device Enrollment they
are not at risk from this vulnerability. 

In today’s security environment, Ivanti believes that responsible
transparency should be a cornerstone of any product security program.
Ivanti uses leading technology in our product development, and our
security team began a project in recent months to integrate advanced
AI models into our product security processes. We have already
successfully identified vulnerabilities which traditional tools
had missed, including some that are being disclosed today. 


Is Sentry vulnerable? 

No. Sentry does not contain this vulnerability, however you should
always review the security of the Sentry appliance at the same time
as EPMM due to the dependency it has on the EPMM appliance and
configuration.  

Customers who use Sentry with a cloud product are not impacted by
this vulnerability. 


Why did Ivanti release a new version of Sentry today if it isn’t
vulnerable? 

The new versions of Sentry (released today) are available to
customers who are adding a new Sentry server to their deployment.
Customers should be aware that if they add a new Sentry server
after EPMM has been updated, they will need to use one of the
new Sentry versions (10.4.2, 10.5.1 and 10.6.1).  


Is Ivanti Neurons for MDM vulnerable? 

No. Ivanti Neurons for MDM does not contain these vulnerabilities.
Ivanti cloud solutions are not impacted by these vulnerabilities.  

 
What should I do if I need help?  

If you have questions after reviewing this information, you can
log a case and/or request a call via the Success Portal  


Article Number : 000106622
Article Promotion Level
Normal

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================