Ivanti has issued an urgent security advisory warning customers to patch a high-severity remote code execution flaw in Endpoint Manager Mobile (EPMM), disclosing that the vulnerability is being actively exploited in zero-day attacks before a patch was publicly available. The vulnerability, tracked as CVE-2026-6973, stems from improper input validation in the EPMM platform and allows a remotely authenticated administrative user to execute arbitrary code on the server.
CISA simultaneously added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026, placing federal agencies on a mandatory remediation clock under Binding Operational Directive 22-01.
What Is Ivanti EPMM?
Ivanti Endpoint Manager Mobile — formerly marketed as MobileIron Core — is an enterprise mobile device management (MDM) and enterprise mobility management (EMM) platform used by organizations to manage, secure, and enforce policies on mobile devices enrolled in corporate environments. It handles device enrollment certificates, application distribution, configuration profiles, and compliance enforcement.
EPMM is deployed across a wide range of sectors including government, healthcare, financial services, and critical infrastructure. Its central role in managing large fleets of mobile devices makes it a high-value target: full compromise of an EPMM server provides an attacker with visibility into and control over all managed endpoints.
Vulnerability Details
CVE-2026-6973 is an improper input validation flaw that allows a remotely authenticated administrator to achieve remote code execution. The specific technical mechanism has not been fully disclosed to prevent exploitation of unpatched systems, but improper input validation vulnerabilities in server-side administrative interfaces typically allow attackers to inject malicious input that bypasses server-side checks — triggering code execution under the EPMM service account.
The requirement for administrative authentication distinguishes this from fully unauthenticated attacks but does not constitute a strong barrier. Administrative EPMM credentials are regularly targeted through:
- Phishing campaigns aimed at IT and MDM administrators
- Credential reuse from other compromised accounts
- Password spraying against exposed EPMM portals
- Insider threats from personnel with legitimate EPMM admin access
Active Zero-Day Exploitation
Ivanti confirmed that threat actors were exploiting this vulnerability in targeted attacks prior to the patch release, meeting the definition of a zero-day. Ivanti has not disclosed the identity of the threat actor(s) involved, the number of confirmed compromises, or the specific sectors targeted. Given Ivanti's history as a target for nation-state actors — including multiple campaigns by Chinese APT groups and others against Ivanti Connect Secure and prior EPMM flaws — sophisticated threat actors are considered likely perpetrators.
This follows a pattern of Ivanti products being targeted at scale. Previous zero-day campaigns against Ivanti products resulted in mass exploitation of thousands of internet-facing appliances before patches could be widely deployed.
Patch Availability and Required Action
Ivanti has released a security patch addressing CVE-2026-6973 and urges all customers to apply it immediately. Organizations running EPMM should:
- Apply the May 2026 Ivanti security patch without delay
- Check EPMM admin console access logs for anomalous administrative activity
- Review enrolled device configurations for unauthorized policy changes
- Enforce MFA on all EPMM administrative accounts
- Restrict admin console access to known management IP ranges where possible
For federal agencies, CISA's KEV inclusion mandates remediation within the deadline specified in BOD 22-01.
Broader Context: Ivanti Under Sustained Pressure
This marks another entry in Ivanti's growing list of critical vulnerabilities under active exploitation. Ivanti has faced criticism for the pace of its patch releases and for the recurring discovery of severe flaws in its remote access and endpoint management products. The company has announced enhanced security testing and architectural changes, but defenders continue to face a challenging patching cycle against motivated threat actors.
Security teams maintaining Ivanti EPMM deployments should treat any delay in applying this patch as carrying significant risk, particularly for internet-facing EPMM installations.