Full Report
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code
Analysis Summary
# Vulnerability: Ivanti EPMM Remote Code Execution (CVE-2026-6973)
## CVE Details
- **CVE ID:** CVE-2026-6973
- **CVSS Score:** 7.2 (High)
- **CWE:** Improper Input Validation
## Affected Systems
- **Products:** Ivanti Endpoint Manager Mobile (EPMM) – On-premise versions only.
- **Versions:** Affected before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
- **Configurations:** This vulnerability does **not** affect Ivanti Neurons for MDM (Cloud), Ivanti EPM, Ivanti Sentry, or other Ivanti products.
## Vulnerability Description
CVE-2026-6973 is an improper input validation flaw in Ivanti EPMM. The vulnerability allows a remote attacker who has already obtained administrative credentials to bypass security checks and execute arbitrary code on the underlying operating system.
## Exploitation
- **Status:** Exploited in the wild (Limited targeted attacks reported).
- **Complexity:** Medium (Requires valid administrative credentials).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full system access upon successful RCE).
- **Integrity:** High (Ability to modify system files and configurations).
- **Availability:** High (Ability to disrupt mobile management services).
## Remediation
### Patches
Ivanti has released the following security updates to address this flaw:
- EPMM Version 12.6.1.1
- EPMM Version 12.7.0.1
- EPMM Version 12.8.0.1
### Workarounds
- **Credential Rotation:** Ivanti strongly recommends rotating all administrative credentials, especially if the environment was previously compromised by earlier vulnerabilities (e.g., CVE-2026-1281 or CVE-2026-1340), as leaked credentials can be used to facilitate this RCE.
- **Access Control:** Restrict administrative interface access to trusted internal networks or VPNs only.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins from unexpected IP addresses or at irregular times. Check system logs for unauthorized shell command executions or suspicious file modifications.
- **Detection methods and tools:** CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. Organizations should use vulnerability scanners updated with the latest definitions for May 2026.
## References
- Ivanti Security Advisory: hxxps[://]hub[.]ivanti[.]com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
- Ivanti Blog: hxxps[://]www[.]ivanti[.]com/blog/may-2026-epmm-security-update
- CISA KEV Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- External Report: hxxps[://]thehackernews[.]com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html