Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Improper Certificate Validation in Ivanti EPMM allowing Sentry host impersonation

IdentifiersCVE-2026-5787CWE-295· Improper Certificate Validation

CVE-2026-5787 is an improper certificate validation vulnerability in on-premises Ivanti Endpoint Manager Mobile (EPMM). Affected versions are EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0.1. Due to flawed certificate validation in the EPMM trust relationship for registered Sentry hosts, a remote unauthenticated attacker can impersonate a legitimate registered Sentry host and cause EPMM to issue valid CA-signed client certificates. The flaw is in EPMM server-side validation logic rather than in the Sentry component itself.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to obtain valid EPMM-issued CA-signed client certificates while masquerading as a registered Sentry host. This can cross trust boundaries and enable unauthorized authentication to components or backend services that trust EPMM-issued certificates. Depending on deployment architecture, impact can include unauthorized access to mobile management infrastructure, downstream systems, email or internal application access brokered through Sentry-related trust relationships, and compromise of confidentiality and integrity. Public reporting in the provided content states there was no evidence of in-the-wild exploitation at disclosure time.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the EPMM appliance to untrusted networks, restrict network access to interfaces reachable by potential attackers, and review trust relationships and certificate-based authentication paths that rely on EPMM-issued certificates. Because the flaw is unauthenticated and affects server-side certificate validation, compensating controls should focus on limiting network reachability to EPMM and monitoring certificate issuance and Sentry-registration-related activity where possible. The provided content does not mention a vendor-supplied workaround other than upgrading.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager Mobile (EPMM) to a fixed release: 12.6.1.1, 12.7.0.1, or 12.8.0.1, as appropriate for the deployed branch. These releases contain the vendor fix for CVE-2026-5787 and also include cumulative fixes for earlier EPMM issues referenced in the advisory. For environments adding new Sentry servers after patching EPMM, use Sentry versions 10.4.2, 10.5.1, or 10.6.1 for compatibility. The content states Sentry itself is not vulnerable and updating existing Sentry solely for this CVE is not required unless deploying a new Sentry after the EPMM upgrade.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
IvantiEndpoint Manager Mobileapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app
cysecurity newsNews
May 23, 2026
Ivanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation - CySecurity News - Latest Information Security and Hacking Incidents

A high-severity Ivanti EPMM vulnerability disclosed alongside CVE-2026-6973 that could potentially be used to impersonate registered Sentry hosts and receive valid CA-signed client certificates.

Read more
help net securityNews
May 8, 2026
Ivanti EPMM vulnerability exploited in zero-day attacks (CVE-2026-6973) - Help Net Security

An improper certificate control vulnerability in Ivanti EPMM that can be exploited without authentication to obtain valid CA-signed client certificates.

Read more
cyberscoopNews
May 7, 2026
Ivanti customers confront yet another actively exploited zero-day | CyberScoop

A high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) disclosed alongside CVE-2026-6973. The article provides no technical detail beyond patch availability and lack of observed exploitation.

Read more
the hacker newsNews
May 7, 2026
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

An improper certificate validation vulnerability in Ivanti EPMM that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-5787
NVD
nvd.nist.gov/vuln/detail/CVE-2026-5787
MITRE CWE · CWE-295
Improper Certificate Validation
Patch
hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs