Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

AndyC 8 May 2026

Ravie LakshmananMay 07, 2026Vulnerability / Network Security

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ravie LakshmananMay 07, 2026Vulnerability / Network Security

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.

The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.

It allows “a remotely authenticated user with administrative access to achieve remote code execution,” Ivanti said in an advisory released today.

“We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced.”

It’s currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.

Also patched by Ivanti in EPMM are four other flaws –

  • CVE-2026-5786 (CVSS score: 8.8) – An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access.
  • CVE-2026-5787 (CVSS score: 8.9) – An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
  • CVE-2026-5788 (CVSS score: 7.0) – An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods.
  • CVE-2026-7821 (CVSS score: 7.4) – An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.

“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products,” the company said.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

What do you feel about this?

More Stories

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

AndyC 8 May 2026
One Click, Total Shutdown: The

One Click, Total Shutdown: The “Patient Zero” Webinar on Killing Stealth Breaches

AndyC 8 May 2026
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

AndyC 8 May 2026
ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories

ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories

AndyC 8 May 2026
Day Zero Readiness: The Operational Gaps That Break Incident Response

Day Zero Readiness: The Operational Gaps That Break Incident Response

AndyC 8 May 2026
PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux

PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux

AndyC 8 May 2026

You may have missed

Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

AndyC 8 May 2026
Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

AndyC 8 May 2026
Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

AndyC 8 May 2026
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

AndyC 8 May 2026
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems

AndyC 8 May 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.