Vulnerability Overview
Ivanti has issued an urgent security advisory for its Endpoint Manager Mobile (EPMM) product, disclosing five vulnerabilities including one that is actively exploited in the wild. Tracked as CVE-2026-6973, the flaw is an Improper Input Validation vulnerability that allows a remotely authenticated attacker with administrative privileges to execute arbitrary code on affected EPMM servers running version 12.8.0.0 and earlier.
CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog today, May 7, 2026, ordering federal agencies to apply mitigations by May 10 - just three days. Ivanti confirmed that exploitation is occurring at a "very limited" number of customers but warned that advanced AI models have dramatically collapsed the time-to-exploit window from days to mere hours after public disclosure.
As BleepingComputer reported, Ivanti has high confidence that the admin credentials used to exploit CVE-2026-6973 were obtained from earlier exploitation of CVE-2026-1281 and CVE-2026-1340, two critical unauthenticated RCE flaws disclosed in January 2026. Organizations that followed Ivanti's January recommendation to rotate all EPMM admin passwords have significantly reduced exposure to this new attack. Shadowserver is currently tracking over 850 exposed EPMM instances online, with the majority in Europe (508) and North America (182).
Technical Details
CVE-2026-6973 is an Improper Input Validation vulnerability in Ivanti EPMM (formerly MobileIron) that enables a remotely authenticated user with administrative access to execute arbitrary code on the underlying server. The flaw affects all on-premises EPMM deployments running versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1.
While the vulnerability requires valid admin credentials to exploit, the Belgian Centre for Cybersecurity (CCB) highlighted that these credentials are being sourced from earlier zero-day campaigns. In January 2026, two critical unauthenticated RCE flaws (CVE-2026-1281 and CVE-2026-1340) were disclosed and widely exploited, giving attackers access to admin account passwords. Those stolen credentials are now being reused to exploit CVE-2026-6973 at organizations that never rotated their passwords.
The vulnerability only affects on-premises EPMM deployments. Ivanti Neurons for MDM (the cloud-based product), Ivanti EPM, Ivanti Sentry, and all other Ivanti products are not affected. Ivanti also disclosed four additional high-severity EPMM vulnerabilities in the same advisory, though none of those have confirmed in-the-wild exploitation.
This is not a standalone attack. Ivanti confirmed with high confidence that the admin credentials being used to exploit CVE-2026-6973 originated from the January 2026 exploitation of CVE-2026-1281 and CVE-2026-1340. Organizations that rotated all local EPMM admin passwords after the January advisory are at significantly lower risk. Those that did not should assume their admin credentials are compromised and treat CVE-2026-6973 as an active threat requiring immediate action.
Affected Versions
All on-premises EPMM deployments running versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 are affected. Today's advisory also covers four additional CVEs disclosed alongside CVE-2026-6973, none of which have confirmed exploitation.
| CVE | CVSS | Type | Auth Required | Exploited |
|---|---|---|---|---|
| CVE-2026-6973 | 7.2 | Improper Input Validation | Yes (Admin) | Yes - Active |
| CVE-2026-5786 | 8.8 | Privilege Escalation | Yes (Low) | No |
| CVE-2026-5787 | 8.9 | Certificate Impersonation | No | No |
| CVE-2026-5788 | 7.0 | Improper Access Control | No | No |
| CVE-2026-7821 | 7.4 | Certificate Validation | No | No |
Recommendations
- Apply the EPMM security patch immediately. Update to version 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on your release train. Ivanti states the patches take seconds to apply and cause no downtime. Refer to the Ivanti security advisory for detailed installation steps.
- Rotate all EPMM admin credentials now. If you did not reset admin passwords following the January 2026 advisory for CVE-2026-1281 and CVE-2026-1340, do so immediately. Attackers are actively reusing stolen admin credentials from those earlier campaigns.
- Audit admin accounts. Review all accounts with administrative privileges on your EPMM instance. Remove unnecessary admin access, disable dormant accounts, and enforce multi-factor authentication where supported.
- Check for indicators of compromise. Previous EPMM exploitation campaigns have deployed webshells and reverse shells for persistent access. Review Apache access logs, check for unexpected processes, and search for unfamiliar files on the EPMM server. Ivanti has published analysis guidance for identifying exploitation attempts.
- Restrict network exposure. Ensure EPMM management interfaces are not directly accessible from the public internet. Place the admin portal behind a VPN or Zero Trust access solution to limit the attack surface for authenticated exploitation scenarios.
Context
This marks the third wave of zero-day exploitation against Ivanti EPMM in less than 18 months. In 2023, CVE-2023-35078 and CVE-2023-35082 were exploited to breach government agencies worldwide, with some attacks attributed to Chinese state-sponsored threat groups. In January 2026, CVE-2026-1281 and CVE-2026-1340 triggered another round of widespread exploitation that included webshell deployment and cryptominer installation. Now, CVE-2026-6973 represents a direct continuation of that January campaign - attackers are weaponizing previously stolen credentials to maintain access.
CISA has now flagged 33 Ivanti vulnerabilities as exploited in the wild, with 12 of those abused by various ransomware operations. The three-day CISA KEV deadline - May 10, 2026 - is among the shortest remediation windows the agency has ever issued, reflecting the severity and active exploitation of this vulnerability. The consistent targeting of EPMM underscores its high-value position in enterprise mobile device management infrastructure, where a single compromised MDM server can provide attackers with control over an organization's entire mobile fleet.
