A high-severity Ivanti Endpoint Manager Mobile (EPMM) vulnerability, CVE-2026-6973, was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on May 7, 2026, the same day Ivanti released patches. This improper input validation flaw allows Remote Code Execution (RCE) for remotely authenticated administrative users on on-premise EPMM systems. Its impact stems from EPMM's role in mobile device management, policy enforcement, and identity integrations, making it a target for lateral movement once credentials are compromised. Federal Civilian Executive Branch (FCEB) agencies have until May 10, 2026, to apply the fix, reflecting the urgent threat active exploitation poses.
What Happened
CISA added CVE-2026-6973 to its KEV Catalog on May 7, 2026, within hours of Ivanti disclosing the vulnerability and releasing patches. This improper input validation flaw affects Ivanti EPMM versions 12.8.0.0 and prior, allowing a remotely authenticated administrator to achieve Remote Code Execution (RCE) on on-premise deployments, as reported by BleepingComputer, SecurityWeek, and TheHackerNews. Despite its CVSS score of 7.2, its "High" severity and active exploitation prompted the immediate KEV inclusion by CISA, an authoritative source for actively exploited vulnerabilities.
Ivanti stated that a "very limited number of customers" had been exploited by CVE-2026-6973. The exploit requires administrative credentials, which Ivanti noted could be compromised from previous attacks like those targeting CVE-2026-1281 and CVE-2026-1340, or via other initial access methods. Alongside CVE-2026-6973, Ivanti concurrently addressed four other high-severity vulnerabilities in EPMM, although these are not currently known to be actively exploited. These include CVE-2026-5786 (CVSS 8.8, improper access control leading to privilege escalation) and CVE-2026-5787 (CVSS 8.9, improper certificate validation enabling impersonation).
Why It Matters
This RCE matters because Ivanti EPMM instances sit at the nexus of mobile device management, policy enforcement, and critical identity integrations such as Single Sign-On (SSO) and LDAP. An attacker gaining RCE on an EPMM system, even with pre-compromised admin credentials, establishes a high-privilege foothold for extensive lateral movement within an organization's network. Shadowserver Foundation tracked over 800 internet-exposed Ivanti EPMM instances globally as of May 7, 2026, primarily in Europe and North America, representing a substantial attack surface.
CISA's directive for Federal Civilian Executive Branch (FCEB) agencies to patch Ivanti EPMM CVE-2026-6973 by May 10, 2026, indicates the severity of the vulnerability and the likely sophistication of the threat actors involved. Zero-day exploitation against Ivanti products is frequently attributed to state-sponsored groups, often with suspected ties to Chinese threat actors. This pattern of immediate KEV inclusion for Ivanti flaws, particularly after earlier zero-days like CVE-2026-1281 and CVE-2026-1340, confirms that these systems are persistent high-value targets. Compromising EPMM is about gaining access to sensitive configurations, user identities, and potentially the entire organizational network.
Affected Scope & Remediation
Ivanti EPMM versions 12.8.0.0 and prior are vulnerable to CVE-2026-6973. Organizations running these on-premise instances are exposed, especially if they haven't rotated administrative credentials following the January 2026 exploitation of CVE-2026-1281 and CVE-2026-1340. Patch Ivanti EPMM CVE-2026-6973 immediately. Federal Civilian Executive Branch (FCEB) agencies face a hard deadline of May 10, 2026, to apply the updates as mandated by CISA’s binding operational directive. Ivanti released patches on May 7, 2026, just 0 days after disclosure, which leaves a critical window for active exploitation.
Beyond applying the patches, review and rotate all administrative credentials associated with Ivanti EPMM, particularly if there’s any suspicion of prior compromise or if these credentials have not been changed since January 2026. Implement endpoint detection and response (EDR) solutions like CrowdStrike Falcon or SentinelOne across all managed endpoints to detect post-exploitation activity and lateral movement. Given the requirement for authenticated admin access, tighten access controls, enforce strong multi-factor authentication (MFA), and continuously monitor for anomalous logins to EPMM. Ensure logging for EPMM is comprehensive and regularly reviewed for suspicious activity, as specified by NIST SP 800-53 control AU-2 Event Logging.
| Product | Version Range | Fixed Version |
|---|---|---|
| Ivanti EPMM | 12.8.0.0 and prior | 12.8.1.0, 12.7.2.0, 12.2.1.3 |
Patch Links:
- Vendor Advisory: Ivanti Security Advisory for CVE-2026-6973
- NVD Entry: CVE-2026-6973
- CISA KEV Entry: CVE-2026-6973
Timeline:
- Disclosure Date (Ivanti): May 7, 2026
- Patch Release Date (Ivanti): May 7, 2026
- CISA KEV Addition: May 7, 2026
- Exploitation known: 0 days after patch release
- CISA KEV Deadline for FCEB Agencies: May 10, 2026
Technical Breakdown
CVE-2026-6973 is an improper input validation vulnerability. The Ivanti EPMM system trusts data provided by an authenticated administrative user without sufficient scrutiny or sanitization. This trust allows an attacker, who already possesses valid administrative credentials, to inject malicious code or commands through an application input field. Think of it like this: a bouncer at a club (authentication) rigorously checks your ID at the door. Once you're inside, however, they let you write anything you want on a public whiteboard, and the club owner then blindly acts on whatever you've written, even if it's destructive instructions. The bouncer did their job, but the content on the whiteboard wasn't validated.
The EPMM system expects specific data types or formats in its various input fields. By failing to validate these inputs, an attacker can bypass the intended logic and execute arbitrary code on the underlying server. Because EPMM manages core mobile infrastructure and often integrates with critical identity systems, successful exploitation means an attacker can run commands with the elevated privileges of the EPMM server itself. This could involve creating new administrative users, modifying sensitive system configurations, or exfiltrating data directly from the compromised system. The attack chain likely begins with an attacker first obtaining administrative credentials through prior means, such as the exploitation of older Ivanti flaws like CVE-2026-1281 and CVE-2026-1340, or through less sophisticated methods like password spraying.
This vulnerability maps to MITRE ATT&CK technique T1190 Exploit Public-Facing Application if the EPMM instance is internet-exposed, which many Ivanti installations are. If administrative credentials were obtained through other means, T1078 Valid Accounts is highly relevant as a preceding step. Post-exploitation, an attacker could achieve T1068 Exploitation for Privilege Escalation if the initial RCE provides lower-than-system privileges, or more broadly, use the RCE for further T1059.001 PowerShell or other command-line execution for persistence or data access. From a NIST SP 800-53 perspective, this highlights failures in SI-10 Information Input Validation and reinforces the need for IA-5 Authenticator Management and CM-6 Configuration Settings to prevent credential reuse or weak configurations that facilitate initial access.
Historical Context
This is not Ivanti's first encounter with actively exploited zero-days in its EPMM product. In January 2026, the company disclosed and patched two other critical code-injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were also actively exploited in zero-day attacks. Those flaws, also affecting EPMM, allowed unauthenticated remote code execution, making them arguably even more severe than CVE-2026-6973, which requires prior administrative authentication. CISA responded rapidly to the January incidents, issuing a binding directive in April 2026 that mandated federal agencies to patch against CVE-2026-1340 attacks within four days.
The key similarity across these incidents is the persistent targeting of Ivanti EPMM by sophisticated threat actors, often linked to nation-states, to gain initial access or maintain persistence within critical networks. The primary difference with CVE-2026-6973 is the requirement for authenticated admin access, implying an attacker may already have a foothold or compromised credentials. In contrast, the January exploits often allowed for unauthenticated entry. This recurring pattern shows the need for extraordinary vigilance and a defensive posture that assumes Ivanti infrastructure is a continuous, high-priority target for adversaries.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score (CVE-2026-6973) | 7.2 | NVD |
| CISA FCEB Patch Deadline | 3 days | CISA KEV Catalog |
| Exploitation Status | Actively Exploited | BleepingComputer |
| Internet-Exposed Instances | 800+ | Shadowserver Foundation via SecurityWeek |
| Ivanti EPMM Zero-Days (2026) | 3 | TheHackerNews |
Our Take
We're seeing a clear pattern with Ivanti EPMM: it's a high-value target for sophisticated threat actors, and the cycle of zero-day disclosure, active exploitation, and KEV catalog additions is becoming routine. The fact that this specific vulnerability requires authenticated administrative access strongly suggests a likely pre-existing foothold or a successful credential compromise, possibly stemming from previous Ivanti exploits. This is about re-evaluating the security posture around our most critical infrastructure management tools. We need to assume these systems are persistently targeted and bake in strong credential hygiene, continuous monitoring, and strict network segmentation around them.
The CVEDaily Take
Ivanti EPMM continues to be a hot zone for state-backed adversaries. The rapid KEV addition, even for an authenticated RCE, confirms that compromised administrative accounts are a constant threat vector for these high-privilege systems. If you're running EPMM, assume your admin credentials are under attack or already compromised.
Have you audited your EPMM administrative access logs for anomalous activity in the last 6 months, especially post-January's zero-days?
FAQ
Q: What is the primary risk of CVE-2026-6973 if it requires administrative authentication?
A: Even with administrative authentication, CVE-2026-6973 allows Remote Code Execution (RCE). This is critical because EPMM systems manage mobile devices and integrate with identity platforms, meaning an attacker with compromised admin credentials can gain a privileged foothold for lateral movement, data exfiltration, or further system compromise.
Q: How does this vulnerability relate to previous Ivanti EPMM exploits this year?
A: CVE-2026-6973 continues a trend of active exploitation against Ivanti EPMM. While it requires authentication, unlike the unauthenticated RCEs from CVE-2026-1281 and CVE-2026-1340 in January, Ivanti suggests prior credential compromises could be an exploitation path, highlighting the persistent targeting and potential for attack chaining.
Q: Besides patching, what immediate actions should organizations take for Ivanti EPMM?
A: Beyond applying patches for CVE-2026-6973 and the other four high-severity vulnerabilities, immediately rotate all administrative credentials for Ivanti EPMM. Review access logs for suspicious activity, enforce strong multi-factor authentication (MFA) with tools like YubiKey, and ensure network segmentation limits exposure of EPMM instances to mitigate further risks.
