Ivanti EPMM Remote Code Execution Vulnerability Under Active Exploitation

TL;DR Ivanti has disclosed CVE-2026-6973, a high-severity improper input validation flaw in Endpoint Manager Mobile (EPMM) that enables remote code execution for authenticated administrative users. The vulnerability is under active exploitation in a limited number of attacks. CISA has added it to its Known Exploited Vulnerabilities catalog, mandating patches for U.S. federal agencies by May 10, 2026. Ivanti simultaneously released patches for four additional vulnerabilities affecting the same product.

What happened

Ivanti disclosed CVE-2026-6973, a high-severity improper input validation vulnerability in EPMM. The flaw, assigned CVSS score 7.2, affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Exploitation requires a remotely authenticated user with administrative access to achieve remote code execution.

Ivanti confirmed in its advisory that a limited number of customers have been exploited in the wild. The company stated: "We are aware of a very limited number of customers exploited with CVE-2026-6973."

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog. This designation triggered a binding directive requiring Federal Civilian Executive Branch (FCEB) agencies to apply patches by May 10, 2026.

Simultaneously, Ivanti released fixes for four additional vulnerabilities also affecting EPMM:

CVE-2026-5786 (CVSS 8.8): Improper access control allowing remote authenticated attackers to gain administrative access
CVE-2026-5787 (CVSS 8.9): Improper certificate validation enabling remote unauthenticated attackers to impersonate registered Sentry hosts and obtain valid CA-signed client certificates
CVE-2026-5788 (CVSS 7.0): Improper access control allowing remote unauthenticated attackers to invoke arbitrary methods
CVE-2026-7821 (CVSS 7.4): Improper certificate validation enabling remote unauthenticated attackers to enroll devices from a restricted set, resulting in information disclosure about the EPMM appliance

All five vulnerabilities affect only the on-premises EPMM product. The issues do not affect Ivanti Neurons for MDM (cloud-based unified endpoint management), Ivanti EPM (a distinct product), Ivanti Sentry, or other Ivanti products.

Why it matters

For defenders and system administrators managing EPMM deployments, these vulnerabilities present immediate operational risk. CVE-2026-6973 is particularly significant because active exploitation is confirmed, however limited. The requirement for administrative credentials provides some constraint on attack surface—the attacker must first obtain valid admin credentials—but the impact of successful exploitation (remote code execution) is severe.

The inclusion of CVE-2026-6973 in CISA's KEV catalog signals heightened threat activity and creates compliance obligations for federal agencies. Organisations in regulated sectors or those supporting government operations should treat the May 10 deadline as a hard constraint.

The companion vulnerabilities extend the attack surface further. CVE-2026-5787 and CVE-2026-5788 require no authentication, lowering the barrier to entry for unauthenticated attackers. CVE-2026-5787 (certificate impersonation) and CVE-2026-7821 (device enrollment into restricted sets) are particularly concerning in environments where device identity and trust anchors are critical to zero-trust or device-centric security architectures.

SOC analysts should anticipate that attackers exploiting these flaws may chain them together: an unauthenticated attacker might use CVE-2026-5788 to invoke methods, then pivot to obtain administrative credentials for use in CVE-2026-6973 to achieve code execution.

Affected systems and CVEs

Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1
- CVE-2026-6973 (CVSS 7.2)
- CVE-2026-5786 (CVSS 8.8)
- CVE-2026-5787 (CVSS 8.9)
- CVE-2026-5788 (CVSS 7.0)
- CVE-2026-7821 (CVSS 7.4)

What to do

Update EPMM to version 12.6.1.1, 12.7.0.1, or 12.8.0.1 or later.
If your organisation was previously compromised by CVE-2026-1281 or CVE-2026-1340, rotate all administrative credentials. Ivanti recommends this mitigation, noting that credential rotation significantly reduces the risk of CVE-2026-6973 exploitation.
If you are a U.S. federal agency under FCEB authority, prioritise patching to meet the May 10, 2026 deadline.
Review access logs for suspicious administrative activity and any evidence of exploitation attempts.
If EPMM is internet-facing or exposed to untrusted networks, consider network segmentation or access controls pending patch deployment.

Open questions

The identity of threat actors conducting the exploitation remains unknown.
Whether any of the limited exploitation attempts were successful is not confirmed.
The end goals of the attackers (espionage, lateral movement, persistence, disruption) have not been disclosed.
The exact number of affected customers beyond "very limited" has not been specified by Ivanti.