Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Authenticated Remote Code Execution Vulnerability in Ivanti EPMM Exploited, Patch Immediately!
Image
Veröffentlicht : 07/05/2026
- Last update: 07/06/2026
- Affected software:: Ivanti Endpoint Manager Mobile (EPMM) before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1
- Type:
Remote Code Execution
Improper Access Control
Improper Certificate Validation- CVE/CVSS
CVE-2026-5786: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2026-5787: CVSS 8.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)
CVE-2026-5788: CVSS 7.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L)
CVE-2026-6973: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
CVE-2026-7821: CVSS 7.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
Risks
EPMM is a Unified Endpoint Management (UEM) platform designed to secure and manage mobile devices, applications, and content.
Ivanti is aware of a limited numbers of customers exploited with CVE-2026-6973. If exploited, this could lead to data breaches, system compromise, and operational downtime impacting confidentiality, integrity, and availability of critical businesses.
Remediating by updating to the latest versions further includes patches for 4 (four) additional newly discovered vulnerabilities, as well as fixes for the two exploited vulnerabilities that were published in January 2026 (CVE-2026-1281 and CVE-2026-1340).
Ivanti has a high degree of confidence that the administrative credentials used to exploit CVE-2026-6973 came from previous exploitation of CVE-2026-1340 published in January 2026. Further information on the vulnerabilities of January 2026 can be found here: https://ccb.belgium.be/advisories/warning-remote-code-execution-ivanti-epmm-endpoint-manager-mobile-patch-immediately.
Since CVE-2026-6973 requires authentication, it is advised to further review accounts with Admin rights and rotate those credentials where necessary.
Description
Ivanti has released security updates for several high severity vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).
CVE-2026-6973 is an Improper Input Validation vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation allows a remotely authenticated user with administrative access to achieve remote code execution. Currently, a limited number of exploitations has been observed.
CVE-2026-5786 is an Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation could allow a remote authenticated attacker to gain administrative access.
CVE-2026-5787 is an Improper Certificate Validation vulnerability affecting Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation could allow a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
CVE-2026-7821 is an Improper Certificate Validation vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation allows a remote unauthenticated attacker to unroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device’s identity.
CVE-2026-5788 is an Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows a remote unauthenticated attacker to invoke arbitrary methods.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.