Ivanti EPMM CVE-2026-6973 Under Active Exploitation, CISA Adds to KEV
Ivanti warns that a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) is being exploited in limited attacks, prompting CISA to add the flaw to its Known Exploited Vulnerabilities catalog.
Ivanti has disclosed that a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-6973, is being actively exploited in limited attacks. The flaw, which carries a CVSS score of 7.2, stems from improper input validation and allows a remotely authenticated user with administrative access to achieve remote code execution on affected systems. Ivanti released an advisory today confirming the exploitation and urging customers to apply patches immediately.
The vulnerability affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti noted that successful exploitation requires administrative authentication, and that customers who followed the company's January recommendation to rotate credentials after previous vulnerabilities (CVE-2026-1281 and CVE-2026-1340) have significantly reduced their risk. The company did not attribute the attacks to any specific threat actor or disclose whether any attacks were successful.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the available patches by May 10, 2026. This inclusion underscores the severity of the threat and the urgency for federal agencies to act.
In addition to CVE-2026-6973, Ivanti patched four other vulnerabilities in EPMM as part of the same advisory. These include CVE-2026-5786 (CVSS 8.8), an improper access control flaw allowing remote authenticated attackers to gain administrative access; CVE-2026-5787 (CVSS 8.9), an improper certificate validation issue enabling remote unauthenticated attackers to impersonate registered Sentry hosts; CVE-2026-5788 (CVSS 7.0), another improper access control vulnerability; and CVE-2026-7821 (CVSS 7.4), an improper certificate validation flaw that could lead to information disclosure.
Ivanti clarified that the vulnerabilities only affect the on-premises EPMM product and do not impact Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or any other Ivanti products. The company has released patches for all five vulnerabilities and strongly recommends that customers upgrade to the latest supported versions.
The active exploitation of CVE-2026-6973 continues a troubling pattern for Ivanti, which has faced multiple zero-day vulnerabilities in its products over the past year. The company has been working to improve its security posture and response times, but the repeated exploitation of its enterprise mobility management software highlights the persistent risks facing organizations that rely on such platforms.
Organizations using Ivanti EPMM should prioritize patching and review their credential rotation policies. The CISA KEV inclusion means federal agencies have a hard deadline, but private sector organizations are also strongly advised to act quickly to mitigate the risk of compromise.