Ivanti has disclosed that a newly identified high-severity vulnerability in its Endpoint Manager Mobile (EPMM) platform is being actively exploited in limited attacks. The flaw, tracked as CVE-2026-6973 with a CVSS score of 7.2, is an improper input validation issue that allows remote attackers to execute code with administrative privileges on vulnerable EPMM servers.
The vulnerability was reported by The Hacker News on May 7, 2026, following Ivanti's disclosure to customers.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-6973 |
| CVSS Score | 7.2 (High) |
| Vulnerability Type | Improper Input Validation |
| Impact | Remote Code Execution with Admin-Level Access |
| Exploitation Status | Actively exploited in limited attacks |
| Affected Versions | EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0 |
The improper input validation flaw exists in a component of EPMM that processes attacker-controlled input without adequate sanitization. Successful exploitation allows a remote threat actor to inject and execute malicious code on the EPMM server, effectively gaining administrative control over the device management platform.
What Is Ivanti EPMM?
Ivanti Endpoint Manager Mobile — formerly known as MobileIron — is an enterprise mobile device management (MDM) and unified endpoint management (UEM) platform. Organizations use EPMM to:
- Manage and enroll mobile devices (iOS, Android, Windows)
- Distribute enterprise applications and configurations
- Enforce security policies on employee-owned and corporate-issued devices
- Control access to corporate resources from mobile endpoints
EPMM servers are typically internet-facing, enabling remote devices to check in and receive policy updates. This public exposure makes them high-value targets for threat actors seeking persistent initial access into enterprise networks.
Active Exploitation
Ivanti confirmed that the vulnerability has been exploited in "limited attacks in the wild" at the time of disclosure. This pattern — limited initial exploitation that expands rapidly after public disclosure — has been observed repeatedly with prior Ivanti CVEs. Organizations that do not patch quickly should anticipate broader exploitation as technical details and proof-of-concept code spread.
The admin-level access granted by successful exploitation means attackers can:
- Modify device enrollment and management policies
- Push malicious configurations or applications to managed devices
- Access device inventories including corporate contact data and location information
- Use the EPMM server as a pivot point to reach internal network resources
Patched Versions
Ivanti has released patched versions addressing CVE-2026-6973:
- 12.6.1.1 (for the 12.6 branch)
- 12.7.0.1 (for the 12.7 branch)
- 12.8.0 (for the 12.8 branch)
Organizations running any version of EPMM prior to these releases should upgrade immediately.
Ivanti's Track Record of Exploitation
CVE-2026-6973 continues a troubling pattern of critical vulnerabilities in Ivanti products being exploited before or shortly after disclosure:
| Year | CVE | Product | Notes |
|---|---|---|---|
| 2023 | CVE-2023-35078 | EPMM | Auth bypass, nation-state exploitation |
| 2024 | CVE-2024-21887 | Connect Secure | Mass exploitation by China-nexus APT |
| 2025 | CVE-2025-0282 | Connect Secure | Zero-day, CISA emergency directive |
| 2026 | CVE-2026-6973 | EPMM | This incident, active exploitation confirmed |
This pattern has prompted CISA to issue multiple emergency directives ordering federal agencies to patch Ivanti products on accelerated timelines. Organizations should treat Ivanti zero-days as near-certain to be actively exploited and plan accordingly.
Immediate Response Steps
Patch Now
- Upgrade EPMM to version 12.6.1.1, 12.7.0.1, or 12.8.0 depending on your current branch
- Apply any interim mitigations published by Ivanti if a patch cannot be applied immediately
- Restrict internet-facing access to EPMM where operationally feasible — IP allowlisting, firewall rules, or placement behind a zero-trust gateway
Investigate for Compromise
- Review EPMM access logs for unusual authentication activity, API calls, or configuration changes dating back to at least April 2026
- Check administrative accounts for unauthorized additions or privilege changes
- Audit enrolled device policies for unexpected configurations or application distributions
- Monitor for lateral movement from the EPMM server into adjacent network segments
Notify and Remediate
- If compromise is suspected, engage your incident response team and follow your organization's breach notification obligations
- Reset all EPMM administrative credentials as a precautionary measure
- Consider forensic preservation of EPMM logs before upgrading if compromise is suspected, to support post-incident investigation
CISA and Federal Implications
Given Ivanti's history, CVE-2026-6973 is likely to be added to CISA's Known Exploited Vulnerabilities (KEV) catalog with a short federal remediation deadline. Federal agencies and critical infrastructure operators subject to CISA Binding Operational Directives should prepare for an accelerated patching mandate.
Recommendations
Ivanti products have demonstrated consistent vulnerability to zero-day and near-zero-day exploitation. Organizations relying on EPMM or other Ivanti products should:
- Establish a dedicated Ivanti patching lane with shortened SLAs — do not treat these as routine monthly patch items
- Place EPMM behind network controls that limit the exposure surface
- Evaluate whether the operational benefits of internet-facing MDM justify the sustained risk
- Consider continuous monitoring of Ivanti's security advisory feed as a standing operational requirement
Bottom Line: CVE-2026-6973 follows the established Ivanti pattern exactly — actively exploited before broad disclosure, high-impact admin access, and internet-facing attack surface. Patch immediately and investigate your EPMM logs for signs of prior exploitation.