Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The Vulnerability: Authenticated RCE
CVE-2026-6973 allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory. This means that if an attacker has already compromised an admin account, they can execute arbitrary code on the EPMM server.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced."
It's currently not known who is behind the exploitation efforts, if any of those attacks were successful, or what the end goals of the attacks were.
CISA Adds to KEV Catalog
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.
This is a critical designation. When CISA adds a vulnerability to the KEV catalog, it means:
- Active exploitation is confirmed: This isn't theoretical—attackers are using it - Mandatory patching for federal agencies: FCEB must remediate by the deadline - Private sector should prioritize: CISA's warning applies to all organizations
Four Additional Flaws Patched
Also patched by Ivanti in EPMM are four other flaws:
- CVE-2026-5786 (CVSS 8.8): Improper access control allowing remote authenticated attackers to gain administrative access - CVE-2026-5787 (CVSS 8.9): Improper certificate validation allowing remote unauthenticated attackers to impersonate registered Sentry hosts and obtain valid CA-signed client certificates - CVE-2026-5788 (CVSS 7.0): Improper access control allowing remote unauthenticated attackers to invoke arbitrary methods - CVE-2026-7821 (CVSS 7.4): Improper certificate validation allowing remote unauthenticated attackers to enroll devices belonging to a restricted set of unenrolled devices, leading to information disclosure
Scope: On-Prem Only
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products," the company said.
This is an important distinction. Organizations using Ivanti's cloud-based solutions are not affected, but those running on-premises EPMM appliances must act immediately.
Reflection: The Ivanti Attack Surface
1. The Pattern of Ivanti Vulnerabilities
CVE-2026-6973 is not an isolated incident. Ivanti has been a recurring target for attackers:
- January 2026: CVE-2026-1281 and CVE-2026-1340 (zero-day RCE flaws) - May 2026: CVE-2026-6973 (authenticated RCE under active exploitation)
The pattern suggests that Ivanti EPMM is a high-value target for threat actors. Why? Because EPMM sits at a critical junction:
- Device Management: Controls thousands of mobile endpoints - Certificate Authority: Issues and manages device certificates - Network Access: Often has broad network permissions for device provisioning - Admin Privileges: Administrative access equals control over all managed devices 2. The "Authenticated" Misconception
CVE-2026-6973 requires "authenticated administrative access." Some organizations might think: "We're safe—we protect our admin accounts."
This is dangerous thinking. Consider:
- Credential Theft: Phishing, keyloggers, and memory scrapers can steal admin credentials - Session Hijacking: Stolen session cookies bypass authentication entirely - Insider Threats: Disgruntled employees with admin access - Supply Chain Compromise: MSPs with admin access to multiple customer environments
"Authenticated" doesn't mean "safe." It means the attacker needs one more step before exploitation—and that step (stealing credentials) is often trivial.
3. The Credential Rotation Imperative
Ivanti's advisory explicitly states: "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced."
This is a critical insight. The attackers who exploited the January vulnerabilities likely stole admin credentials. Those credentials are now being used to exploit CVE-2026-6973.
If you were exploited in January and didn't rotate credentials, you are vulnerable now.
4. The Certificate Validation Problem
Two of the five patched vulnerabilities (CVE-2026-5787 and CVE-2026-7821) involve improper certificate validation. This is particularly concerning because:
- Certificate validation is fundamental: It's Security 101 - These bugs allow impersonation: Attackers can pose as legitimate hosts - CA-signed certificates are involved: Trust infrastructure is compromised
When a mobile device management platform fails to validate certificates properly, it undermines the entire trust model of device enrollment and management.
Lessons for Security Teams
1. Patch Immediately
CISA's deadline is May 10, 2026. Don't wait. The fact that exploitation is "limited" now doesn't mean it will stay that way. Once a PoC circulates in criminal forums, exploitation will accelerate.
2. Rotate All Credentials
If there's any chance your EPMM admin credentials were compromised (especially during the January incidents), rotate them now. This includes:
- Local admin accounts on EPMM appliances - Service accounts used for EPMM integration - API keys and tokens - Certificate credentials 3. Audit for Indicators of Compromise
Check for:
- Unexpected admin logins (especially from unusual IPs) - Unusual certificate enrollment activity - Unknown devices enrolled in EPMM - Changes to EPMM configuration or policies - Outbound connections from EPMM to unknown destinations 4. Consider Cloud Migration
Ivanti noted that these vulnerabilities only affect on-prem EPMM. Cloud-based solutions (Ivanti Neurons for MDM) are not affected. While migration is a significant undertaking, it may be worth considering for organizations that struggle with on-prem patching cadence.
Conclusion
CVE-2026-6973 is a reminder that authentication is not a security boundary—it's a speed bump. Once attackers have credentials, they're inside the castle walls. The only defense is rapid patching, credential rotation, and vigilant monitoring.
For Ivanti EPMM administrators, the message is clear: patch by May 10, rotate your credentials, and assume that any admin account that existed in January is already compromised. The attackers are moving fast. You need to move faster.
