Full Report
Ivanti security advisory (AV26-435)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- **CVE ID:** CVE-2026-6973 (and others referenced in the advisory)
- **CVSS Score:** Critical (Exact base score should be verified via Ivanti Hub; typical scores for this class of EPMM vulnerability range from 9.0 to 10.0)
- **CWE:** Not specified in the summary advisory (Typically related to Authentication Bypass or Remote Code Execution in EPMM)
## Affected Systems
- **Products:** Ivanti Endpoint Manager Mobile (EPMM)
- **Versions:**
- Versions prior to 12.6.1.1
- Versions prior to 12.7.0.1
- Versions prior to 12.8.0.1
- **Configurations:** Default installations of the affected versions.
## Vulnerability Description
While the specific technical root cause (e.g., path traversal, command injection) is detailed in the full Ivanti security bulletin, these vulnerabilities typically allow an attacker to bypass authentication or execute unauthorized commands on the EPMM server. CVE-2026-6973 is specifically identified as a critical flaw requiring immediate attention.
## Exploitation
- **Status:** **Exploited in the wild.** Ivanti has confirmed active exploitation of CVE-2026-6973.
- **Complexity:** Low
- **Attack Vector:** Network (External/Remote)
## Impact
- **Confidentiality:** High (Potential access to mobile device enrollment data and user credentials)
- **Integrity:** High (Potential unauthorized modification of device policies)
- **Availability:** High (Potential for complete system takeover or service disruption)
## Remediation
### Patches
Ivanti recommends upgrading to the following versions or higher:
- **EPMM 12.6.1.1**
- **EPMM 12.7.0.1**
- **EPMM 12.8.0.1**
### Workarounds
- No specific workarounds are provided in the high-level advisory; patching is the primary recommended mitigation consistently advocated by the Cyber Centre.
- Restrict access to the EPMM admin interface to trusted internal networks/VPNs.
## Detection
- **Indicators of Compromise:** Monitor for unusual administrative logins, unauthorized API calls, or unexpected file modifications in the EPMM directory.
- **Detection methods and tools:** Review EPMM internal logs and SIEM alerts for traffic originating from suspicious IP addresses targeting management ports.
## References
- Ivanti Security Advisory (Primary): hxxps[://]hub[.]ivanti[.]com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
- Ivanti Security Bulletins: hxxps[://]forums[.]ivanti[.]com/s/searchallcontent?language=en_US#tab=All&sortCriteria=date%20descending&f-sfkbknowledgearticletypec=Security%20Advisory
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/ivanti-security-advisory-av26-435