Description
An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.
Published: 2026-05-07
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improperly implemented access control in Ivanti Endpoint Manager Mobile (EPMM) allows a remote user who has already authenticated to elevate privileges to full administrative level. This flaw, classified as CWE‑284, means that standard user accounts can bypass restrictions and gain control over the mobile console. The vulnerability carries a CVSS score of 8.8, indicating a high‑severity risk that could enable an attacker to modify configurations, view or alter sensitive data, or deploy additional software on managed devices.

Affected Systems

The weakness impacts all Ivanti Endpoint Manager Mobile installations with versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Administrators of these release lines must verify their current build and update to a patched release as soon as it becomes available.

Risk and Exploitability

The CVSS score of 8.8 reflects a strong potential for privilege escalation. Although an EPSS score is not currently available, the lack of the vulnerability in CISA’s KEV catalog does not diminish its risk; systems that remain on the affected versions remain susceptible to exploitation by any authenticated user. Attackers would need valid credentials, so limiting the attack surface through network segmentation or MFA can reduce exploitation likelihood, but the most effective defense is to apply the vendor‑issued update.

Generated by OpenCVE AI on May 7, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ivanti Endpoint Manager Mobile to version 12.6.1.1, 12.7.0.1, 12.8.0.1, or any newer release that includes the fix for the access control flaw.
  • If an update cannot be applied immediately, restrict administrative access to trusted IP ranges and enforce multi‑factor authentication for privileged accounts to limit the ability of authenticated users to abuse the flaw.
  • Re‑review role‑based access configurations and disable any unnecessary administrative features, ensuring that only the minimum set of privileges required for each role is granted.

Generated by OpenCVE AI on May 7, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Improper Access Control Enables Remote Authenticated Attacker to Gain Administrative Access in Ivanti EPMM
First Time appeared Ivanti
Ivanti endpoint Manager Mobile
Vendors & Products Ivanti
Ivanti endpoint Manager Mobile

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ivanti Endpoint Manager Mobile
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-07T15:43:42.850Z

Reserved: 2026-04-08T11:39:11.525Z

Link: CVE-2026-5786

cve-icon Vulnrichment

Updated: 2026-05-07T15:43:38.470Z

cve-icon NVD

Status : Received

Published: 2026-05-07T16:16:22.483

Modified: 2026-05-07T16:16:22.483

Link: CVE-2026-5786

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:30:15Z

Weaknesses