CVE-2026-7821
Improper Certificate Validation in Ivanti EPMM
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: ivanti
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | endpoint_manager_mobile | 12.7.0.0 |
| ivanti | endpoint_manager_mobile | to 12.6.1.1 (exc) |
| ivanti | endpoint_manager_mobile | 12.8.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a remote unauthenticated attacker to enroll a device from a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.
Such information disclosure and integrity impact could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive information and device integrity.
However, specific effects on compliance with these standards are not detailed in the provided information.
Can you explain this vulnerability to me?
This vulnerability is an improper certificate validation issue in Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows a remote unauthenticated attacker to enroll a device that belongs to a restricted set of unenrolled devices.
Because of this improper validation, the attacker can gain information about the EPMM appliance and affect the integrity of the newly enrolled device's identity.
How can this vulnerability impact me? :
The vulnerability can lead to information disclosure about the EPMM appliance.
It also impacts the integrity of the identity of newly enrolled devices, potentially allowing unauthorized devices to be enrolled.