Introduction
Any authenticated user on an Ivanti Endpoint Manager Mobile appliance can silently escalate their privileges to full administrative control, thanks to an improper access control flaw disclosed on May 7, 2026. For organizations relying on EPMM to manage their mobile device fleet, this vulnerability (scored CVSS 8.8) means that a single compromised standard user account could give an attacker the keys to the entire MDM infrastructure, including device policies, configurations, and integrations.
Ivanti Endpoint Manager Mobile is an on premises mobile device management platform used by enterprises and government agencies to enforce security policies and manage mobile endpoints at scale. The product sits at a critical juncture in enterprise infrastructure, controlling what devices can access corporate resources and how they are configured.
Technical Information
CVE-2026-5786 is classified under CWE-284 (Improper Access Control). The CVSS 3.1 vector as reported by the Centre for Cybersecurity Belgium is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This tells us the vulnerability is network exploitable, requires low attack complexity, requires only low privileges (any authenticated user), requires no user interaction, and carries high impact across confidentiality, integrity, and availability.
Root Cause
The core issue is a failure in access control enforcement within the EPMM appliance. Authenticated sessions with low privilege levels were able to reach administrative functionality that should have been restricted to admin roles only. Because EPMM is a closed source commercial product, no source level code diffs or commit details are publicly available, but the patch description confirms that the fix tightens access control enforcement so that low privilege authenticated sessions can no longer reach administrative functionality.
Attack Flow
Based on the available information, exploitation proceeds through the following steps:
- The attacker obtains or already possesses valid credentials for any user account on the target EPMM appliance. This could be a standard, non administrative account.
- The attacker authenticates to the EPMM instance remotely over the network.
- Due to the improper access control, the attacker accesses administrative functionality that their privilege level should not permit.
- The attacker gains full administrative access to the EPMM appliance, which controls policies, configurations, and integrations for the entire managed mobile device fleet.
Scope Boundaries
This vulnerability is strictly limited to the on premises Endpoint Manager Mobile product. Ivanti confirmed that it does not affect Ivanti Neurons for MDM (their cloud based unified endpoint management solution), Ivanti EPM, Ivanti Sentry, or any other Ivanti products.
Related May 2026 Vulnerabilities
The May 2026 advisory addressed four other high severity vulnerabilities alongside CVE-2026-5786. The interplay between these is worth understanding:
| Vulnerability | Authentication Required | Exploited at Disclosure | Primary Impact | Notes |
|---|---|---|---|---|
| CVE-2026-5786 | Yes (any user) | No | Administrative access | Improper Access Control |
| CVE-2026-5787 | Yes | No | Impersonate Sentry hosts | High severity |
| CVE-2026-5788 | No | No | Invoke arbitrary methods | Improper Access Control |
| CVE-2026-6973 | Yes (Admin) | Yes | Arbitrary code execution | Improper Input Validation |
| CVE-2026-7821 | No | No | Access restricted information | Requires Apple Device Enrollment |
The chaining potential here is significant. CVE-2026-5786 provides a privilege escalation path from any authenticated user to admin, and CVE-2026-6973 provides code execution from an admin context. Combined, these would allow any authenticated user to achieve remote code execution on the appliance.
Patch Information
On May 7, 2026, Ivanti published a security advisory addressing CVE-2026-5786 alongside four other high severity vulnerabilities. The fix is delivered through full version updates, not through the temporary RPM script mechanism that was used for the January 2026 EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340). This is an important distinction: the new releases are permanent, integrated fixes.
The patch tightens access control enforcement so that low privilege authenticated sessions can no longer reach administrative functionality.
Ivanti released three fixed versions, each corresponding to a supported major release branch:
| Affected Versions | Fixed Version | Build |
|---|---|---|
| EPMM 12.8.0.0 and prior | 12.8.0.1 | 217 |
| EPMM 12.7.x | 12.7.0.1 | 216 |
| EPMM 12.6.x | 12.6.1.1 | 209 |
For each fixed version, Ivanti provides both a fresh install ISO and an in place appliance update package available through their download portal (login required). For example, version 12.8.0.1 is available as mobileiron-12.8.0.1-217.iso for new instances and as an update directory for existing appliances.
A notable consolidation benefit: organizations that upgrade to any of these resolved versions also receive the permanent fixes for the critical January 2026 zero days (CVE-2026-1281 and CVE-2026-1340). The temporary RPM packages distributed in January are no longer needed after updating.
Because EPMM is a closed source commercial product, no source level code diffs or commit details are publicly available. The patch is applied entirely through Ivanti's proprietary update mechanism.
Affected Systems and Versions
The vulnerability affects the following Ivanti Endpoint Manager Mobile versions:
- EPMM versions prior to 12.8.0.1 on the 12.8.x branch
- EPMM versions prior to 12.7.0.1 on the 12.7.x branch
- EPMM versions prior to 12.6.1.1 on the 12.6.x branch
Only the on premises deployment of Endpoint Manager Mobile is affected. The following products are explicitly not affected:
- Ivanti Neurons for MDM (cloud based)
- Ivanti EPM (Endpoint Manager, the non mobile product)
- Ivanti Sentry
- All other Ivanti products
Vendor Security History
Ivanti infrastructure has been a recurring target for advanced threat actors, and the pattern is worth reviewing:
| Year | Product | Incident Context | Key Lesson |
|---|---|---|---|
| 2021 | Pulse Connect Secure | Breached by suspected state backed hackers targeting government agencies and defense companies | Edge devices are high value targets |
| Jan 2026 | Endpoint Manager Mobile | Widespread zero day exploitation of CVE-2026-1281 and CVE-2026-1340 with web shells and backdoors deployed | Rapid patching is critical |
| May 2026 | Endpoint Manager Mobile | CVE-2026-6973 exploited using credentials stolen from January 2026 incidents | Credential rotation must accompany patches |
The May 2026 situation is particularly instructive. Ivanti has high confidence that the administrative credentials used to exploit CVE-2026-6973 were harvested during the January 2026 zero day campaign. This demonstrates that patching alone is insufficient when credentials may have been compromised; rotation is a necessary companion step.
References
- NVD Entry for CVE-2026-5786
- May 2026 Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) Multiple CVEs
- Ivanti Forums: May 2026 Security Advisory
- BleepingComputer: Ivanti warns of new EPMM flaw exploited in zero day attacks
- Centre for Cybersecurity Belgium Advisory
- Ivanti Blog: May 2026 EPMM Security Update
- CWE-284: Improper Access Control
- Kudelski Security: CVE-2026-1281 and CVE-2026-1340 Affecting Ivanti EPMM
- Unit 42: Critical Vulnerabilities in Ivanti EPMM Exploited
- Wikipedia: Ivanti Pulse Connect Secure data breach
