Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated arbitrary method invocation in Ivanti EPMM

IdentifiersCVE-2026-5788CWE-284· Improper Access Control

CVE-2026-5788 is an improper access control vulnerability in on-premises Ivanti Endpoint Manager Mobile (EPMM). A missing or insufficient access control check allows a remote, unauthenticated attacker to invoke arbitrary methods on a vulnerable EPMM appliance. The issue affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Publicly available vendor and secondary reporting describe the flaw at a high level only; the specific vulnerable methods or endpoints have not been disclosed in the provided content. The weakness is classified as CWE-284.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthorized invocation of methods on the EPMM appliance without authentication. Based on the provided scoring and reporting, the primary impact is to integrity, with possible low confidentiality and availability impact. In practical terms, an attacker may be able to manipulate the EPMM management plane, alter configuration or policy-related state, and perform unauthorized actions exposed through the reachable methods. The provided content states there was no known in-the-wild exploitation of CVE-2026-5788 at the time of disclosure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the EPMM appliance by restricting network access to management and application interfaces to trusted administrative networks only, and minimize or eliminate direct internet exposure where operationally feasible. Monitor the appliance and surrounding infrastructure for anomalous unauthenticated requests or unexpected management actions, although Ivanti stated there are no reliable atomic indicators of compromise for this issue. Apply the vendor update as the definitive mitigation.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager Mobile (EPMM) to a fixed version: 12.6.1.1, 12.7.0.1, or 12.8.0.1, as appropriate for the deployed branch. Ivanti states these releases remediate CVE-2026-5788 and also include fixes for earlier EPMM issues such as CVE-2026-1281 and CVE-2026-1340. The content indicates these are the vendor-supported corrective releases for affected on-premises deployments.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
IvantiEndpoint Manager Mobileapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
cysecurity newsNews
May 23, 2026
Ivanti Patches New EPMM Vulnerability Linked to Active Zero-Day Exploitation - CySecurity News - Latest Information Security and Hacking Incidents

A high-severity Ivanti EPMM vulnerability disclosed alongside CVE-2026-6973 that could potentially allow invocation of unauthorized methods.

Read more
help net securityNews
May 8, 2026
Ivanti EPMM vulnerability exploited in zero-day attacks (CVE-2026-6973) - Help Net Security

An improper access control vulnerability in Ivanti EPMM allowing a remote unauthenticated attacker to invoke arbitrary methods.

Read more
cyberscoopNews
May 7, 2026
Ivanti customers confront yet another actively exploited zero-day | CyberScoop

A high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) disclosed alongside CVE-2026-6973. The article provides no technical detail beyond patch availability and lack of observed exploitation.

Read more
the hacker newsNews
May 7, 2026
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

An improper access control vulnerability in Ivanti EPMM that allows a remote unauthenticated attacker to invoke arbitrary methods.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-5788
NVD
nvd.nist.gov/vuln/detail/CVE-2026-5788
MITRE CWE · CWE-284
Improper Access Control
Patch
hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs