Ivanti EPMM on-prem — pre-auth certificate impersonation (CVSS 9.1, ITW, KEV chain with CVE-2026-6973)

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).

Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.

The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server. CVE-2026-5787 (CVSS 9.1, CWE-295) is an improper certificate validation flaw: an unauthenticated attacker who can reach the EPMM administrative network interface sends a crafted Sentry host registration request. EPMM fails to verify that the connecting host is an already-registered Sentry gateway and issues the attacker valid CA-signed client certificates with Sentry-level trust. Those certificates satisfy the authentication gate for CVE-2026-6973 (CVSS 7.2, CWE-20), where improper input validation in an administrative API endpoint allows the now-"authenticated" actor to execute arbitrary OS commands at the EPMM service account's privilege level. The nominal "admin required" label on CVE-2026-6973 is therefore misleading — in practice the chain requires no prior credentials.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog (deadline 2026-05-10) on the same day Ivanti disclosed the vulnerabilities (2026-05-07). Ivanti reported "very limited exploitation in the wild" at disclosure; CISA's simultaneous KEV listing confirms verified exploitation. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud), EPM, Sentry as a standalone product, and EPMM mobile clients are unaffected. An estimated 508 EPMM on-premises instances in the EU are internet-reachable (Censys/Shodan telemetry), concentrated in public-sector and healthcare verticals — both NIS2 Annex-I essential entities.

Fixed versions: 12.6.1.1 (12.6.x branch), 12.7.0.1 (12.7.x branch), 12.8.0.1 (12.8.x branch).

Immediate actions if patching within 24 hours is not feasible: Remove EPMM port 443 from internet exposure; place admin interface behind VPN with allowlisted management IPs; disable internet-facing Sentry registration endpoints; audit EPMM logs for unexpected Sentry host_id registration events.

EPMM's internal PKI issues CA-signed certificates to registered Sentry gateway hosts upon verified registration. CVE-2026-5787 (CWE-295) is a failure in that verification: an attacker submits a crafted registration request and EPMM issues a valid CA-signed certificate without confirming prior registration. The certificate carries Sentry-level trust and satisfies EPMM's administrative authentication gate, enabling the CVE-2026-6973 chain. No workaround fully mitigates CVE-2026-5787 in isolation; patching is required. Affected: all on-prem EPMM < 12.6.1.1 / 12.7.0.1 / 12.8.0.1.