Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti warns that a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) is being exploited in limited attacks, prompting CISA to add the flaw to its KEV catalog.
Ivanti has disclosed that a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-6973, is being exploited in limited, targeted attacks. The flaw, which carries a CVSS score of 7.2, stems from improper input validation and allows a remotely authenticated user with administrative privileges to achieve remote code execution on affected systems.
The vulnerability impacts EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti noted in its advisory that successful exploitation requires valid admin credentials, but warned that organizations that failed to rotate credentials following previous Ivanti vulnerabilities—specifically CVE-2026-1281 and CVE-2026-1340—may face elevated risk. The company stated it is aware of a 'very limited number of customers' affected by active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the available patches by May 10, 2026. This inclusion underscores the real-world threat posed by the flaw, even if exploitation remains limited in scope.
Alongside the critical CVE-2026-6973, Ivanti patched four additional vulnerabilities in EPMM. These include CVE-2026-5786 (CVSS 8.8), an improper access control flaw enabling remote authenticated attackers to gain admin access; CVE-2026-5787 (CVSS 8.9), an improper certificate validation issue allowing unauthenticated attackers to impersonate Sentry hosts; CVE-2026-5788 (CVSS 7.0), another improper access control bug; and CVE-2026-7821 (CVSS 7.4), a certificate validation flaw that could lead to information disclosure.
Ivanti clarified that the vulnerabilities only affect the on-premises EPMM product and do not impact Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or any other Ivanti products. The company urged customers to apply the latest patches immediately and to follow credential rotation recommendations to mitigate the risk of exploitation.
The active exploitation of CVE-2026-6973 continues a troubling pattern for Ivanti, which has faced multiple zero-day vulnerabilities in its enterprise products over the past year. The company's products are widely deployed in government and large enterprise environments, making them attractive targets for threat actors seeking persistent access to sensitive networks.
Organizations using Ivanti EPMM should prioritize patching and review their authentication logs for signs of unauthorized administrative activity. Given CISA's KEV inclusion, federal agencies face a hard deadline, but private sector organizations are strongly advised to act with similar urgency to prevent potential compromise.
Ivanti has released patches (versions 12.6.1.1, 12.7.0.1, and 12.8.0.1) for the flaw and advises customers to rotate admin credentials. Shadowserver reports over 850 EPMM instances remain exposed online, primarily in Europe and North America. Ivanti also patched four additional high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, CVE-2026-7821) that are not yet known to be exploited.