FAIL › dossier
FedRAMP provider · · dossier confidence 20%
Ivanti is a private US-based IT management vendor with a critical security posture, evidenced by multiple high-severity RCE and credential exposure vulnerabilities in 2025-2026.
High-risk vendor with a pattern of critical unauthenticated RCE and credential exposure vulnerabilities in 2026, including multiple CVEs in Endpoint Manager and EPMM.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2026-06-11 | CVE-2026-10520 | high | ⚡RCE ⌖KEV | 85 | Ivanti Sentry allows remote unauthenticated root access via command injection when appliances are unmanaged and externally reachable. |
| 2026-04-08 | CVE-2026-1340 | high | ⚡RCE ⌖KEV | 85 | Ivanti EPMM allows unauthenticated remote code execution via code injection, enabling attackers to compromise endpoint management systems without credentials. |
| 2026-03-09 | CVE-2026-1603 | high | ⌖KEV | 85 | Ivanti Endpoint Manager allows remote unauthenticated attackers to bypass authentication and leak stored credentials via an alternate path. |
| 2026-05-07 | CVE-2026-6973 | high | ⚡RCE ⌖KEV | 65 | Ivanti EPMM allows remote code execution for authenticated admins via improper input validation. |
| Product | Status | Impact |
|---|---|---|
| Ivanti Neurons for ITSM (Formerly Service Manager) | Authorized | Moderate |
| Ivanti Neurons for MDM (Formerly MobileIron) | Authorized | Moderate |
Open questions: Ivanti's remediation timeline for 2026 CVEs · Impact of these vulnerabilities on CMMC compliance status