Critical Ivanti EPMM Vulnerability Exploited: Immediate Action Required
Ivanti has recently disclosed a significant security vulnerability in its Endpoint Manager Mobile (EPMM) software, identified as CVE-2026-6973. This high-severity flaw, with a CVSS score of 7.2, stems from improper input validation and affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The vulnerability enables a remotely authenticated user with administrative privileges to execute arbitrary code on the affected system.
In an advisory released on May 7, 2026, Ivanti acknowledged that CVE-2026-6973 has been exploited in a limited number of attacks. The company emphasized that successful exploitation requires administrative authentication. Ivanti also noted that customers who followed the company’s January recommendation to rotate credentials—following the exploitation of CVE-2026-1281 and CVE-2026-1340—have a significantly reduced risk of being affected by this new vulnerability.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary fixes by May 10, 2026, to mitigate potential threats.
In addition to CVE-2026-6973, Ivanti has addressed four other vulnerabilities in the EPMM platform:
– CVE-2026-5786 (CVSS score: 8.8): An improper access control vulnerability allowing a remote authenticated attacker to gain administrative access.
– CVE-2026-5787 (CVSS score: 8.9): An improper certificate validation vulnerability enabling a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
– CVE-2026-5788 (CVSS score: 7.0): An improper access control vulnerability permitting a remote unauthenticated attacker to invoke arbitrary methods.
– CVE-2026-7821 (CVSS score: 7.4): An improper certificate validation vulnerability allowing a remote unauthenticated attacker to enroll a device from a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and affecting the integrity of the newly enrolled device identity.
Ivanti clarified that these issues are exclusive to the on-premises EPMM product and do not impact Ivanti Neurons for MDM (the company’s cloud-based unified endpoint management solution), Ivanti Endpoint Manager (EPM), Ivanti Sentry, or any other Ivanti products.
Background on Previous Vulnerabilities:
This recent disclosure follows a series of security challenges for Ivanti’s EPMM platform. In January 2026, the company addressed two critical vulnerabilities—CVE-2026-1281 and CVE-2026-1340—both allowing unauthenticated remote code execution. These flaws were actively exploited as zero-days, prompting Ivanti to release rapid patches and recommend credential rotations to mitigate potential risks.
In February 2026, threat intelligence firm GreyNoise reported that 83% of exploitation attempts targeting CVE-2026-1281 originated from a single IP address associated with bulletproof hosting infrastructure. This highlighted the organized nature of the attacks and the importance of swift remediation.
Furthermore, in May 2025, Ivanti patched two vulnerabilities—CVE-2025-4427 and CVE-2025-4428—that were exploited in limited attacks to gain remote code execution. These vulnerabilities were associated with two open-source libraries integrated into EPMM, underscoring the complexities of securing third-party components within enterprise software.
Recommendations for Users:
Given the active exploitation of CVE-2026-6973 and the history of vulnerabilities within the EPMM platform, it is imperative for organizations to take the following actions:
1. Immediate Patching: Apply the latest security updates provided by Ivanti to address CVE-2026-6973 and the other identified vulnerabilities.
2. Credential Rotation: If not already done, rotate administrative credentials, especially if previous vulnerabilities (CVE-2026-1281 and CVE-2026-1340) were exploited.
3. Monitor for Indicators of Compromise (IoCs): Review system logs and network traffic for unusual activities that may indicate exploitation attempts.
4. Restrict Administrative Access: Limit administrative access to trusted personnel and implement multi-factor authentication (MFA) to enhance security.
5. Stay Informed: Regularly consult advisories from Ivanti and CISA to remain updated on potential threats and recommended mitigations.
By proactively addressing these vulnerabilities and adhering to best security practices, organizations can significantly reduce the risk of unauthorized access and potential data breaches.
