ctipilot.chSwitzerland · Europe · Public sector

Home · Briefs · CTI Daily Brief — 2026-05-08

CVE-2026-5787 / CVE-2026-6973 — Ivanti EPMM pre-auth certificate impersonation → admin RCE (CISA KEV deadline **2026-05-10**)

From CTI Daily Brief — 2026-05-08 · published 2026-05-08

Ivanti disclosed two vulnerabilities in Endpoint Manager Mobile (EPMM) on-premises that chain into a fully pre-authenticated remote code execution path against the MDM server. CVE-2026-5787 (CVSS 9.1, CWE-295) is an improper certificate validation flaw: an unauthenticated attacker who can reach the EPMM administrative network interface sends a crafted Sentry host registration request. EPMM fails to verify that the connecting host is an already-registered Sentry gateway and issues the attacker valid CA-signed client certificates with Sentry-level trust. Those certificates satisfy the authentication gate for CVE-2026-6973 (CVSS 7.2, CWE-20), where improper input validation in an administrative API endpoint allows the now-"authenticated" actor to execute arbitrary OS commands at the EPMM service account's privilege level. The nominal "admin required" label on CVE-2026-6973 is therefore misleading — in practice the chain requires no prior credentials.

CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog (deadline 2026-05-10) on the same day Ivanti disclosed the vulnerabilities (2026-05-07). Ivanti reported "very limited exploitation in the wild" at disclosure; CISA's simultaneous KEV listing confirms verified exploitation. Only on-premises EPMM is affected; Ivanti Neurons for MDM (cloud), EPM, Sentry as a standalone product, and EPMM mobile clients are unaffected. An estimated 508 EPMM on-premises instances in the EU are internet-reachable (Censys/Shodan telemetry), concentrated in public-sector and healthcare verticals — both NIS2 Annex-I essential entities.

Fixed versions: 12.6.1.1 (12.6.x branch), 12.7.0.1 (12.7.x branch), 12.8.0.1 (12.8.x branch).

Immediate actions if patching within 24 hours is not feasible: Remove EPMM port 443 from internet exposure; place admin interface behind VPN with allowlisted management IPs; disable internet-facing Sentry registration endpoints; audit EPMM logs for unexpected Sentry host_id registration events.