External risk intelligence

Ivanti EPMM allows attackers to control your systems and data.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5788

Ivanti EPMM has a critical flaw that lets attackers remotely control your systems and data without needing any login. This is urgent because it could expose your organization to significant risks.

5Halo Surface Signal

Ivanti Endpoint Manager Mobile

before 12.6.1.112.7.0.012.8.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-5788

Ivanti EPMM is a mobile device management platform commonly deployed as an internet-facing gateway or portal to facilitate connectivity with mobile devices. The bulletin confirms the management interface is often publicly accessible, and the product is fundamentally designed to act as an edge service to manage remote devices over the internet, placing it in the public-facing category.

PCI scan relevance

PCI Relevance for CVE-2026-5788

Yes

CVE-2026-5788 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves improper access control in Ivanti EPMM, allowing arbitrary method invocation, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Ivanti Endpoint Manager Mobile allows an unauthenticated attacker to execute arbitrary code remotely. Teams should pay attention because this could let unauthorized individuals gain control over your mobile devices.

  • Attackers can trigger code execution.
  • No prior access is needed.
  • Affects Ivanti EPMM mobile management.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a crafted request to Ivanti EPMM's management interface. This would allow them to call any method within the application, potentially leading to complete system compromise.

  • Remote, unauthenticated attacker
  • Target Ivanti EPMM management interface
  • Exploit requires direct network access

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for remote unauthenticated attackers to invoke arbitrary methods, which is a serious capability. Given the nature of the Ivanti EPMM product as a potential internet-facing management gateway, and the critical severity of this vulnerability, it is likely to be a target for exploitation. Attackers favor such vulnerabilities because they offer broad access and control without requiring any prior compromise or user interaction.

  • Remote unauthenticated code execution potential.
  • Exposed management interface makes it a target.
  • Ivanti EPMM is an edge service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize investigating Ivanti EPMM for versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 due to a critical vulnerability allowing unauthenticated remote code execution. Given the exposure of EPMM as a gateway service, actively exploitability is a high concern.

  • Update EPMM to 12.6.1.1, 12.7.0.1, or 12.8.0.1.
  • Block network access to EPMM if patching is delayed.
  • Monitor logs for unusual method invocations.

Frequently asked questions

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM) is a platform used for managing mobile devices. It allows organizations to control and secure smartphones and tablets, ensuring that company data remains protected on these devices.

What type of vulnerability does CVE-2026-5788 represent?

CVE-2026-5788 is an Improper Access Control vulnerability. This weakness means that the software does not correctly enforce restrictions on who can access or modify certain functions, allowing an attacker to perform actions they shouldn't be able to.

How can an attacker exploit this vulnerability?

An attacker can exploit this by sending a specially crafted request over the network to the Ivanti EPMM management interface. This allows them to trigger the arbitrary invocation of methods within the application without needing any prior authentication or access.

Who should be concerned about CVE-2026-5788?

Organizations using Ivanti EPMM should be concerned, especially if their management interface is accessible from the internet. This product often acts as an edge service for managing remote devices, making it a potential target for external attackers.

What is the first step to address this vulnerability?

The immediate first step is to investigate your Ivanti EPMM installations for versions earlier than 12.6.1.1, 12.7.0.1, and 12.8.0.1. If patching is not immediately possible, blocking network access to EPMM is recommended as a mitigation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished