CVE-2026-5787 — Ivanti EPMM improper certificate validation (pre-auth Sentry impersonation, CVSS 9.1)

EPMM's internal PKI issues CA-signed certificates to registered Sentry gateway hosts upon verified registration. CVE-2026-5787 (CWE-295) is a failure in that verification: an attacker submits a crafted registration request and EPMM issues a valid CA-signed certificate without confirming prior registration. The certificate carries Sentry-level trust and satisfies EPMM's administrative authentication gate, enabling the CVE-2026-6973 chain. No workaround fully mitigates CVE-2026-5787 in isolation; patching is required. Affected: all on-prem EPMM < 12.6.1.1 / 12.7.0.1 / 12.8.0.1.