Description
An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.
Published: 2026-05-07
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Improper Access Control flaw in Ivanti Endpoint Manager Mobile allows a remote attacker who does not need authentication to call any exposed method of the application. This can lead to unauthorized data access, data modification, or further exploitation of the system depending on the capabilities of the invoked methods. The vulnerability is based on the weakness identified as CWE‑284.

Affected Systems

The flaw is present in Ivanti Endpoint Manager Mobile versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Organizations that deploy these earlier releases of the mobile endpoint management solution are therefore susceptible to the described access control bypass.

Risk and Exploitability

The CVSS score of 7.0 marks the vulnerability as high severity. No EPSS score is available, so the current exploitation likelihood cannot be quantified, and the flaw is not yet listed in the CISA KEV catalog. Because the attack does not require authentication, a malicious actor can reach the vulnerable API endpoints from outside the network if they are exposed, making remote exploitation straightforward. Immediate patching is recommended to close the control gap and prevent unauthorized method execution.

Generated by OpenCVE AI on May 7, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Ivanti Endpoint Manager Mobile version and upgrade to a release newer than 12.6.1.1, 12.7.0.1, or 12.8.0.1 as soon as a patch is available.
  • Apply the vendor-provided update or patch to eliminate the access control flaw.
  • If an immediate update is not possible, restrict external network access to the EPMM API endpoints using firewall or network segmentation to limit the attacker’s reach.

Generated by OpenCVE AI on May 7, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.8.0.0:*:*:*:*:*:*:*

Thu, 07 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Ivanti
Ivanti endpoint Manager Mobile
Vendors & Products Ivanti
Ivanti endpoint Manager Mobile

Thu, 07 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Remote Unauthorized Method Invocation via Improper Access Control in Ivanti EPMM

Thu, 07 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Ivanti Endpoint Manager Mobile
cve-icon MITRE

Status: PUBLISHED

Assigner: ivanti

Published:

Updated: 2026-05-07T16:16:36.899Z

Reserved: 2026-04-08T11:39:14.350Z

Link: CVE-2026-5788

cve-icon Vulnrichment

Updated: 2026-05-07T16:16:33.357Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T16:16:22.733

Modified: 2026-05-07T20:11:27.477

Link: CVE-2026-5788

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T18:30:25Z

Weaknesses