Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Privilege Escalation in Ivanti Endpoint Manager Mobile (EPMM)

IdentifiersCVE-2026-5786CWE-284· Improper Access Control

CVE-2026-5786 is an improper access control vulnerability in on-premises Ivanti Endpoint Manager Mobile (EPMM). Affected versions are EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0.1. The flaw results from insufficient enforcement of authorization boundaries within the EPMM appliance, allowing a remote authenticated user with low privileges to access functionality that should be restricted to administrators and escalate to full administrative control of the appliance.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an authenticated attacker to obtain full administrative access to the EPMM appliance. This can compromise the confidentiality, integrity, and availability of the management plane, including exposure or modification of device policies, configurations, integrations, and other administrative settings. Administrative control may also enable follow-on actions against managed mobile infrastructure and can be chained with other vulnerabilities that require admin privileges.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by strictly limiting access to EPMM to trusted users and networks, minimizing the number of authenticated low-privilege accounts, auditing role assignments, and reviewing all accounts with administrative rights. Ivanti also recommends reviewing and rotating administrative credentials, particularly if there is any possibility credentials were previously exposed. No reliable atomic indicators of compromise were reported at disclosure time.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager Mobile to a fixed release: 12.6.1.1, 12.7.0.1, or 12.8.0.1, as appropriate for the deployed branch. Ivanti states these full product updates remediate CVE-2026-5786 and also include fixes for earlier EPMM issues such as CVE-2026-1281 and CVE-2026-1340. After updating to the resolved versions, the temporary RPM packages previously distributed for January 2026 issues are no longer required.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
IvantiEndpoint Manager Mobileapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
cysecurity newsNews
May 23, 2026
Ivanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation - CySecurity News - Latest Information Security and Hacking Incidents

A high-severity Ivanti EPMM vulnerability disclosed alongside CVE-2026-6973 that could potentially be used to obtain administrator access.

Read more
help net securityNews
May 8, 2026
Ivanti EPMM vulnerability exploited in zero-day attacks (CVE-2026-6973) - Help Net Security

An improper access control vulnerability in Ivanti EPMM exploitable by authenticated attackers to elevate privileges to administrator.

Read more
the hacker newsNews
May 7, 2026
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

An improper access control vulnerability in Ivanti EPMM that allows a remote authenticated attacker to gain administrative access.

Read more
kyberturvallisuuskeskus alertsNews
May 7, 2026
Ivanti Endpoint Manager Mobile (EPMM) -tuotteessa vakava hyväksikäytetty haavoittuvuus | Traficom

A severe Ivanti EPMM vulnerability that can enable improper certificate validation or access to Ivanti EPMM device management.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-5786
NVD
nvd.nist.gov/vuln/detail/CVE-2026-5786
MITRE CWE · CWE-284
Improper Access Control
Patch
hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs