Introduction
An improper certificate validation flaw in Ivanti Endpoint Manager Mobile (EPMM) allows a remote unauthenticated attacker to impersonate registered Sentry hosts and walk away with valid CA signed client certificates. What makes this disclosure particularly urgent is its timing: it arrived in the same May 2026 advisory as CVE-2026-6973, a separate EPMM vulnerability that is already under active zero day exploitation.
Ivanti EPMM (formerly MobileIron Core) is an enterprise mobile device management platform used by organizations worldwide to manage, secure, and enforce policy on mobile endpoints. It plays a central role in enterprise mobility architectures, often sitting at the intersection of identity, certificate, and access management systems. The Sentry component acts as a gateway that brokers access between managed devices and backend resources.
Technical Information
CVE-2026-5787 is rooted in CWE-295: Improper Certificate Validation. The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L, yielding a score of 8.9. Several aspects of this vector are worth unpacking for defenders.
The attack vector is network based (AV:N), meaning any attacker with network reachability to the EPMM instance can attempt exploitation. Attack complexity is rated high (AC:H), suggesting that specific conditions beyond the attacker's control must be met, but no privileges (PR:N) or user interaction (UI:N) are required. The scope change (S:C) is the most consequential indicator here: it tells us that a successful exploit crosses a trust boundary, compromising resources beyond the EPMM server itself.
Root Cause
The vulnerability lies in how the on premises EPMM server validates the identity of Sentry hosts during certificate operations. EPMM maintains a trust relationship with registered Sentry appliances, and part of that relationship involves issuing CA signed client certificates to legitimate Sentry hosts. The improper validation means EPMM does not adequately verify that a host requesting a certificate is, in fact, a legitimately registered Sentry instance.
Attack Flow
Based on the available information, the exploitation path follows this general sequence:
- The attacker identifies a network reachable on premises EPMM instance.
- The attacker crafts requests that impersonate a registered Sentry host, exploiting the insufficient certificate validation logic.
- EPMM, failing to properly validate the requesting host's identity, issues a valid CA signed client certificate to the attacker.
- The attacker now possesses a trusted certificate that can be used to authenticate to other components in the MDM infrastructure, potentially accessing restricted information or pivoting deeper into the environment.
The scope change in the CVSS vector reflects this chain: the initial vulnerability is in EPMM, but the impact extends to any system that trusts the CA signed certificates EPMM issues. In environments where Sentry mediates access to email, internal applications, or other backend services, a forged Sentry certificate could grant broad unauthorized access.
Sentry Is Not Directly Vulnerable
It is important to note that Sentry itself does not contain this vulnerability. The flaw is entirely within the EPMM server's validation logic. However, operational dependencies between EPMM and Sentry mean that version alignment is critical when applying updates. Organizations adding new Sentry servers after patching EPMM must use Sentry versions 10.4.2, 10.5.1, or 10.6.1 to maintain compatibility.
Cloud Deployments Are Unaffected
Ivanti has confirmed that the cloud based Ivanti Neurons for MDM product is not affected by CVE-2026-5787. The vulnerability is specific to on premises EPMM deployments, highlighting the differing risk exposures between legacy on premises architectures and modern cloud managed services.
Affected Systems and Versions
The following on premises EPMM versions are vulnerable:
| Product Component | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Ivanti EPMM 12.6.x | Before 12.6.1.1 | 12.6.1.1 |
| Ivanti EPMM 12.7.x | Before 12.7.0.1 | 12.7.0.1 |
| Ivanti EPMM 12.8.x | Before 12.8.0.1 | 12.8.0.1 |
For organizations adding new Sentry servers after the EPMM update, the following Sentry versions are required for compatibility:
| Sentry Version | Notes |
|---|---|
| 10.4.2 | Required only for new Sentry additions post update |
| 10.5.1 | Required only for new Sentry additions post update |
| 10.6.1 | Required only for new Sentry additions post update |
Ivanti Neurons for MDM (cloud) is explicitly unaffected.
The fixed EPMM versions also include cumulative fixes for CVE-2026-1281 and CVE-2026-1340, so organizations that previously applied the January 2026 RPM package no longer need that separate remediation.
Vendor Security History
CVE-2026-5787 was disclosed alongside four other vulnerabilities in the same May 2026 advisory, painting a picture of a product under significant security scrutiny:
| CVE Identifier | CVSS Score | Exploitation Status | Description |
|---|---|---|---|
| CVE-2026-6973 | Not provided | Actively exploited (zero day) | Requires admin authentication |
| CVE-2026-5786 | 8.8 | No known exploitation | Remote Code Execution, low privileges required |
| CVE-2026-5787 | 8.9 | No known exploitation | Improper Certificate Validation, no privileges required |
| CVE-2026-5788 | Not provided | No known exploitation | Allows attackers to invoke arbitrary methods |
| CVE-2026-7821 | Not provided | No known exploitation | Unauthenticated, requires Apple Device Enrollment configuration |
Ivanti has also disclosed and patched prior EPMM vulnerabilities in recent months, including CVE-2026-1281 and CVE-2026-1340, which were addressed in a January 2026 advisory. The vendor noted that their recent integration of advanced AI models into product security processes helped identify vulnerabilities that traditional tooling had missed, including some in this May 2026 advisory.
References
- NVD Entry for CVE-2026-5787
- CVE Record for CVE-2026-5787
- May 2026 Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) Multiple CVEs
- Belgium CCB Advisory: Authenticated Remote Code Execution Vulnerability in Ivanti EPMM
- BleepingComputer: Ivanti warns of new EPMM flaw exploited in zero day attacks
- CybersecurityNews: New Ivanti EPMM 0 Day Vulnerability Actively Exploited
- Ivanti Forums: May 2026 Security Advisory
