The five new vulnerabilities discovered in Ivanti’s on-premises mobile endpoint management solution are a “classic example of the legacy trap” that CSOs must avoid, says an expert.

“Patch today to survive the weekend,” said Robert Enderle of the Enderle Group, “but start planning your exit from legacy MDM as soon as possible.”

He was commenting on an advisory issued Thursday by Ivanti about the discovery of five holes in its Endpoint Manager Mobile (EPMM) suite. Updates for all are available.

The flaws are serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) added one of the vulnerabilities to its Known Exploited Vulnerabilities Catalog because it’s being actively exploited.

“This isn’t an isolated incident,” Enderle added. “It’s a continuation of the cycle we saw in January, suggesting an underlying architecture struggling to withstand modern threats.”

A “very limited number of customers” have been exploited through one of the vulnerabilities revealed this week, CVE-2026-6973. An improper input validation in EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to perform remote code execution.

Johannes Ullrich, dean of research at the SANS Institute, told us that Ivanti is right to point out that exploitation of this hole does require administrative access, and that attackers may have obtained the necessary credentials through exploits of prior vulnerabilities. Rotating credentials is critical after patching an already exploited vulnerability, he said. “Even if no obvious signs of compromise are noted, it is hard to impossible to exclude a compromise. Best to rotate credentials even if no indicator of compromise was found.”

Ullrich also pointed out that in a blog post accompanying the advisory, Ivanti stated that it is using AI tools to proactively identify new vulnerabilities. “This may result in more vulnerability reports in the future,” he said. “I applaud Ivanti’s openness and willingness to publicly enumerate the vulnerabilities as they are being fixed. It is important for organizations using the Ivanti product (or any product) to understand the risks of not patching or of delaying the patch.”

The four other flaws are:

• CVE-2026-5787, with a CVSS score of 8.9, an improper certificate validation that allows a remote and unauthenticated attacker to impersonate registered Ivanti Sentry security gateway hosts and obtain valid CA-signed client certificates;
• CVE-2026-5786, with a CVSS score of 8.8, an improper access control vulnerability that allows a remote authenticated attacker to gain administrative access;
• CVE-2026-5788, an improper input validation hole that allows a remotely authenticated user with admin privileges to execute code remotely.
  Ullrich said he is “surprised that Ivanti assigned such a low CVSS score, 7.0, to this vulnerability. The description sounds more severe, but there are insufficient details to determine how Ivanti evaluated this vulnerability”;
• CVE-2026-7821, an improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to the disclosure of information about the affected EPMM appliance. 

Sentry doesn’t contain any of these vulnerabilities. However Ivanti admins should be aware that if they add a new Sentry server after EPMM has been updated, they will need to use one of the new Sentry versions (10.4.2, 10.5.1 or 10.6.1).  

To respond to the five new vulnerabilities in EPMM, Enderle said that CSOs must update to the resolved versions 12.6.1.1+ immediately, and rotate all administrative credentials. That’s because attackers who executed previous exploits may already hold the keys to bypass these fixes.

“Beyond the immediate patch,” he added, “verify that Apple Device Enrolment is disabled if not in use, and begin a strategic evaluation of whether these aging on-premises appliances still fit a Zero Trust model.”