External risk intelligence

Attacker can impersonate Ivanti EPMM servers to steal client certificates.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-5787

An attacker can impersonate Ivanti EPMM servers to steal legitimate client certificates, potentially compromising sensitive data and mobile device management. This is a critical vulnerability due to its internet-facing exposure and unauthenticated remote attack possibility.

5Halo Surface Signal

Ivanti Endpoint Manager Mobile

before 12.6.1.112.7.0.012.8.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-5787

Ivanti EPMM is a mobile device management platform with components like Sentry, which are designed to be accessible to remote devices over the internet for policy updates. As a centralized gateway for mobile infrastructure, these interfaces are routinely deployed as internet-facing services to maintain connectivity with off-network endpoints.

PCI scan relevance

PCI Relevance for CVE-2026-5787

Yes

CVE-2026-5787 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Ivanti EPMM could allow an attacker to impersonate Sentry hosts, potentially leading to a PCI scan failure due to the critical nature of certificate validation bypass.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Ivanti EPMM could allow an attacker to impersonate mobile device management servers and obtain legitimate client certificates. This is a serious concern because it undermines trust in your mobile infrastructure and could lead to further compromise of sensitive data.

Attacker can impersonate servers.
Legitimate certificates can be stolen.
Impacts mobile device management.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker could exploit this flaw to impersonate registered Sentry hosts. By doing so, they can obtain valid CA-signed client certificates, which could then be used to gain unauthorized access to sensitive resources or to further compromise the network.

Network accessible endpoint.
No authentication required.
Obtain valid client certificates.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Ivanti EPMM allows unauthenticated attackers to impersonate Sentry hosts and obtain valid client certificates. Such a capability is highly attractive to attackers as it could enable further lateral movement within an organization's network or the circumvention of security controls by presenting as a legitimate device. The potential for broad impact and ease of exploitation makes this a concerning vulnerability.

Remote, unauthenticated attack vector.
Can bypass authentication and gain trust.
Directly impacts device management infrastructure.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Ivanti EPMM to address the critical vulnerability that allows unauthenticated remote attackers to impersonate Sentry hosts. This impersonation can lead to the issuance of forged client certificates, enabling attackers to bypass authentication and potentially access sensitive resources. If patching is not immediately feasible, implement network-level controls to restrict access to the EPMM service.

Update to version 12.6.1.1, 12.7.0.1, or 12.8.0.1.
Restrict network access to EPMM.
Monitor for anomalous Sentry host behavior.

Frequently asked questions

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM) is a software solution used for managing mobile devices within an organization. It helps administrators control and secure smartphones and tablets, ensuring compliance with company policies and protecting sensitive data.

What kind of weakness does CVE-2026-5787 represent?

CVE-2026-5787 is classified as an Improper Certificate Validation weakness (CWE-295). This means the software does not correctly verify the authenticity of digital certificates, allowing a malicious actor to trick the system into accepting a fake certificate as genuine.

How can an attacker exploit this vulnerability?

An attacker can exploit this by impersonating a registered Sentry host, which is a component of Ivanti EPMM. This allows them to obtain valid, CA-signed client certificates. The vulnerability is triggered by a remote, unauthenticated attacker and does not require any specific user interaction to exploit.

Who should be concerned about this vulnerability?

Organizations using Ivanti EPMM should be concerned. The Halo Surface Signal indicates this vulnerability is very likely external, meaning the affected components, like Sentry, are often internet-facing to manage mobile devices. This makes them accessible to remote attackers.

What are the first steps to respond to this threat?

The immediate first step is to update Ivanti EPMM to a patched version: 12.6.1.1, 12.7.0.1, or 12.8.0.1. If patching isn't possible right away, restrict network access to the EPMM service to limit potential exposure.

References

hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-…

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.