Introduction
A missing access control check in Ivanti Endpoint Manager Mobile (EPMM) allows a remote, unauthenticated attacker to invoke arbitrary methods on the appliance, creating a direct path to integrity compromise without any credentials. This flaw, tracked as CVE-2026-5788 and rated CVSS 7.0, lands in a May 2026 advisory alongside four other high severity vulnerabilities, one of which is already seeing limited exploitation in the wild.
Ivanti EPMM is an on premise mobile device management solution used by enterprises to enforce policies and manage access across iOS, Android, and other platforms. Ivanti is a major player in the Unified Endpoint Management (UEM) market, and its platforms leverage artificial intelligence to manage user and device access across Windows, macOS, ChromeOS, Linux, iOS, and Android. EPMM deployments are common in organizations that require on premise control over their mobile fleet, making vulnerabilities in this product particularly relevant to enterprise security teams.
Technical Information
CVE-2026-5788 is rooted in an Improper Access Control weakness (CWE-284) within Ivanti EPMM. The core issue is that certain methods exposed by the EPMM appliance can be invoked by a remote attacker without any authentication. The CVSS 3.1 vector string is AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L, which breaks down as follows:
| CVSS Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | High | Specific conditions must be met for exploitation |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact is confined to the vulnerable component |
| Confidentiality Impact | Low | Limited information disclosure possible |
| Integrity Impact | High | Significant modification of system data or behavior |
| Availability Impact | Low | Minor disruption possible |
The high integrity impact is the most notable element here. The ability to invoke arbitrary methods without authentication means an attacker could potentially alter system configuration, modify policies, or manipulate the management plane of the EPMM appliance. The high attack complexity rating suggests that exploitation is not trivial; specific conditions or a particular sequence of actions may be required to successfully trigger the flaw.
At the time of writing, publicly available vendor advisories and threat intelligence sources do not disclose which specific methods or API endpoints are vulnerable to unauthenticated invocation. Ivanti has also stated that there are no reliable atomic indicators of compromise available to detect exploitation of this flaw, which makes post compromise forensics particularly challenging.
It is worth noting that this vulnerability was disclosed alongside four other CVEs in the same May 2026 advisory:
| CVE Identifier | Vulnerability Type | Authentication Required | Exploitation Status |
|---|---|---|---|
| CVE-2026-6973 | Improper Input Validation | Yes (Admin) | Limited exploitation observed |
| CVE-2026-5786 | Remote Code Execution | Yes (Low Privilege) | No evidence of exploitation |
| CVE-2026-5787 | Improper Certificate Validation | No | No evidence of exploitation |
| CVE-2026-5788 | Improper Access Control | No | No evidence of exploitation |
| CVE-2026-7821 | Information Disclosure | No | No evidence of exploitation |
Three of the five vulnerabilities in this batch, including CVE-2026-5788, require no authentication at all. The combination of an information disclosure flaw (CVE-2026-7821), a certificate validation bypass (CVE-2026-5787), and this arbitrary method invocation vulnerability creates a concerning attack surface for unauthenticated adversaries targeting EPMM appliances.
Mitigation Guidance
The primary and recommended mitigation is to upgrade to the fixed EPMM versions:
| Legacy Version Branch | Target Resolved Version | Additional Fixes Included |
|---|---|---|
| 12.6.x and prior | 12.6.1.1 | CVE-2026-1281, CVE-2026-1340 |
| 12.7.x | 12.7.0.1 | CVE-2026-1281, CVE-2026-1340 |
| 12.8.x | 12.8.0.1 | CVE-2026-1281, CVE-2026-1340 |
Upgrading to these versions also rolls in fixes for the critical January 2026 vulnerabilities (CVE-2026-1281 and CVE-2026-1340, both CVSS 9.8 code injection flaws), removing the need for previously distributed RPM package hotfixes.
The Centre for Cybersecurity Belgium strongly recommends installing these updates with the highest priority after thorough testing. Because no reliable indicators of compromise exist for CVE-2026-5788, prevention through patching is the only dependable defense.
Additionally, Ivanti strongly recommends that organizations review all accounts with administrative rights and rotate those credentials. This credential rotation reduces exposure from adjacent vulnerabilities disclosed in the same patch cycle, particularly CVE-2026-6973, which requires admin authentication and is already seeing limited exploitation.
Affected Systems and Versions
The vulnerability affects only the on premise deployment of Ivanti Endpoint Manager Mobile (EPMM). The following versions are vulnerable:
- Ivanti EPMM versions in the 12.6.x branch prior to 12.6.1.1
- Ivanti EPMM versions in the 12.7.x branch prior to 12.7.0.1
- Ivanti EPMM versions in the 12.8.x branch prior to 12.8.0.1
The following products are explicitly not affected:
- Ivanti Neurons for MDM (cloud based)
- Ivanti EPM (Endpoint Manager, the non mobile product)
- Ivanti Sentry
Vendor Security History
Ivanti's EPMM product has seen a notable concentration of critical vulnerabilities in 2026. In January 2026, the vendor disclosed CVE-2026-1281 and CVE-2026-1340, both code injection vulnerabilities carrying a CVSS score of 9.8 that allowed unauthenticated remote code execution. The May 2026 advisory then added five more high severity vulnerabilities to the list, with one (CVE-2026-6973) already under limited active exploitation at the time of disclosure. This pattern of recurring critical and high severity findings in the EPMM codebase warrants close attention from organizations that depend on this product for mobile device management.
References
- Ivanti May 2026 Security Advisory: EPMM Multiple CVEs
- Centre for Cybersecurity Belgium Advisory
- BleepingComputer: Ivanti warns of new EPMM flaw exploited in zero day attacks
- Ivanti January 2026 Security Advisory: EPMM CVE-2026-1281 and CVE-2026-1340
- Canadian Centre for Cyber Security Advisory AV26-068
- CIS Advisory: Multiple Vulnerabilities in Ivanti EPMM
- Computerworld: UEM Buyer's Guide
