Ciphers Security News CVE-2026-6973: Ivanti EPMM Zero-Day RCE Exploited, CISA Mandates Patch by May 10
News

CVE-2026-6973: Ivanti EPMM Zero-Day RCE Exploited, CISA Mandates Patch by May 10

CVE-2026-6973: Ivanti EPMM Zero-Day RCE Exploited, CISA Mandates Patch by May 10

CVE-2026-6973 (a high-severity remote code execution flaw in Ivanti Endpoint Manager Mobile — the on-premises mobile device management platform used by government agencies and enterprises worldwide) is under active exploitation in targeted attacks, Ivanti confirmed on May 8, 2026. The vulnerability carries a CVSS v3.1 score of 7.2 (rated High — CVSS, or Common Vulnerability Scoring System, uses a 0–10 scale where 7.0–8.9 indicates a High severity flaw), affects all EPMM releases prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1, and was added to CISA's Known Exploited Vulnerabilities catalog on May 7 with a federal patching deadline of May 10.

CVE-2026-6973: Technical Details

CVE-2026-6973, classified under CWE-20 (Improper Input Validation — a class of flaw where software fails to verify that input conforms to expected types, lengths, or formats before processing it), allows an authenticated user with administrator privileges to execute arbitrary commands on the underlying server. Remote code execution (RCE) means an attacker can run any command on the target system without physical access, which in the context of an MDM server typically leads to full control of the platform and access to all managed device profiles and credentials.

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is an on-premises MDM platform used by government agencies, healthcare organizations, and large enterprises. It centrally manages and enforces security policy on mobile devices — smartphones, tablets, and laptops — connected to corporate infrastructure. EPMM is frequently internet-accessible by design so that remote devices can check in, which increases its exposure as an attack surface.

CVE-2026-6973 requires an attacker to already hold admin-level credentials within the EPMM console. The vulnerability is not a pre-authentication exploit, which limits opportunistic mass-scanning attacks. However, the history of EPMM exploitation shows that nation-state actors are well-resourced enough to obtain admin credentials through phishing, credential stuffing, or chaining with lower-severity unauthenticated bugs.

Affected version ranges:

  • All Ivanti EPMM 12.6.x releases before 12.6.1.1
  • All Ivanti EPMM 12.7.x releases before 12.7.0.1
  • All Ivanti EPMM 12.8.x releases before 12.8.0.1

On-premises deployments only. Ivanti Neurons for MDM (the cloud-hosted successor platform) is not affected.

CVE-2026-6973 is part of a five-CVE patch bundle published in Ivanti's May 2026 EPMM Security Update. The full set of patched vulnerabilities:

| CVE | CVSS v3.1 | Severity | Type | |—–|———–|———-|——| | CVE-2026-5787 | 8.9 | High | Improper Certificate Validation | | CVE-2026-5786 | 8.8 | High | Improper Access Control (privilege escalation) | | CVE-2026-7821 | 7.4 | High | Improper Certificate Validation (Apple DEP) | | CVE-2026-6973 | 7.2 | High | Improper Input Validation → RCE | | CVE-2026-5788 | 7.0 | High | Improper Access Control (unauthenticated method invocation) |

CVE-2026-5788 is particularly notable alongside CVE-2026-6973: it allows unauthenticated arbitrary method invocation, meaning an attacker without any credentials could potentially use it to establish a foothold before leveraging CVE-2026-6973 for full code execution. Ivanti has not publicly confirmed whether observed in-the-wild exploitation chains multiple CVEs, but the two together represent a plausible authentication-bypass-to-RCE path.

Exploitation Status and Threat Landscape

Ivanti confirmed in its May 2026 advisory that CVE-2026-6973 has been exploited in "very limited" targeted attacks. CISA added it to the Known Exploited Vulnerabilities catalog on May 7, 2026, triggering a mandatory patching requirement under BOD 22-01 (Binding Operational Directive 22-01 — a U.S. federal directive requiring all Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities within defined timeframes). The FCEB deadline is May 10, 2026 — a three-day remediation window that signals CISA's assessment of active risk.

No public PoC (Proof-of-Concept — working exploit code published for researchers or attackers to use directly) has been identified for CVE-2026-6973. The "targeted attacks" characterization, rather than mass-scanning activity, is consistent with a sophisticated state-sponsored actor selectively exploiting high-value targets rather than automated exploitation across the internet.

Earlier in 2026, two related EPMM vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — were exploited by China-attributed and Iran-attributed APT (Advanced Persistent Threat — nation-state or state-sponsored hacking groups conducting long-term targeted intrusions) groups, with approximately 100 confirmed victims including government agencies in Europe and the United States. The Dutch Data Protection Authority and the Dutch Council for the Judiciary were among the publicly identified targets. The targeting profile for CVE-2026-6973 is consistent with this pattern.

Ivanti noted that organizations that followed January 2026 guidance to rotate credentials after the CVE-2026-1281 and CVE-2026-1340 campaign have "significantly reduced" exposure to the current CVE-2026-6973 exploitation, suggesting that actors may be reusing previously harvested admin credentials to trigger this vulnerability.

The most applicable MITRE ATT&CK technique is T1190 (Exploit Public-Facing Application — adversaries exploit weaknesses in internet-facing services to gain initial access to a target network). Post-exploitation activity in prior EPMM incidents included credential harvesting, lateral movement via EPMM device management APIs, and deployment of web shells on the EPMM server.

Who Is Affected

Any organization running Ivanti EPMM on-premises at a version earlier than 12.6.1.1, 12.7.0.1, or 12.8.0.1 is at risk. Cloud-hosted Ivanti Neurons for MDM customers are not affected.

Government agencies represent the highest-priority cohort. Prior EPMM exploitation campaigns specifically targeted U.S. and European government networks. Healthcare organizations and critical infrastructure operators using EPMM for device management should treat this as a priority patch given the platform's privileged role in managing network access and device authentication.

Even organizations that were not targeted in the limited current exploitation wave should patch immediately. The KEV listing and absence of a public PoC reflects an early phase: once exploit code circulates more widely, the attack surface expands from nation-state targets to opportunistic criminal actors.

What You Should Do Right Now

  • Patch immediately. Upgrade to Ivanti EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 from the Ivanti download portal. Federal civilian agencies must comply by May 10, 2026 per CISA's BOD 22-01 mandate.
  • Apply the full May 2026 bundle. Do not patch CVE-2026-6973 in isolation — the same update addresses CVE-2026-5788, which may enable unauthenticated pre-auth access that chains with CVE-2026-6973.
  • Audit admin accounts. CVE-2026-6973 requires administrative credentials. Enumerate all accounts with admin privileges in the EPMM console, disable unnecessary accounts, and immediately rotate passwords and API tokens for all admin users.
  • Restrict network exposure. If your EPMM admin interface is directly reachable from the internet, move it behind a VPN or restrict access to known management IP ranges. Device check-in traffic (from managed endpoints) should be the only internet-exposed EPMM surface.
  • Review EPMM server logs for compromise indicators. Look for unusual admin API calls, configuration changes, unexpected service installations, or outbound connections from the EPMM host to external IP addresses. Check for web shells in the EPMM web root directory:

find /opt/mifs -name "*.jsp" -newer /opt/mifs/server/conf/server.xml
  • Rotate credentials if CVE-2026-1281 affected you. If your organization was targeted in the January 2026 EPMM exploitation campaign and did not complete full credential rotation at the time, do so now alongside patching — Ivanti's advisory implies attackers may be replaying previously captured admin credentials.

Background: Understanding the Risk

Ivanti EPMM has become one of the most consistently targeted enterprise products of the last three years, with at least seven significant CVEs exploited in the wild since 2023. The root of the problem is structural: MDM platforms occupy a uniquely privileged position in enterprise networks. Managed devices trust them implicitly, and EPMM sits at the intersection of network access control and device identity. An attacker who owns the EPMM server can push malicious configuration profiles to every managed mobile device in an organization, intercept authentication tokens, and enumerate the full device and user inventory — a reconnaissance advantage that is extremely valuable for long-term espionage operations.

Nation-state groups targeting EPMM are not interested in ransomware payouts. Their goal is persistent, undetected access to the full list of mobile endpoints and their associated credentials. In government networks where mobile devices access classified networks, VPNs, and email, this translates directly to intelligence-collection capability.

The structural challenge is that EPMM must be reachable by mobile devices to function, which means it will always carry some degree of internet exposure. The mitigation is layered: keep it patched, isolate the admin plane from the data plane, enforce admin MFA, and treat the EPMM server as a Tier-0 asset (the most security-critical category of infrastructure, deserving the same access controls as domain controllers and identity providers).

CISA's decision to list CVE-2026-6973 on the KEV catalog — despite "very limited" current exploitation — reflects a forward-looking assessment: every prior EPMM zero-day has followed a trajectory from targeted government exploitation to broad criminal adoption within weeks of public disclosure.

Conclusion

CVE-2026-6973 is an actively exploited RCE flaw in Ivanti EPMM affecting all on-premises deployments before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Federal agencies must patch by May 10 under CISA's KEV mandate; all other organizations should treat the full May 2026 bundle as an emergency upgrade given EPMM's consistent role as a nation-state intrusion target.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised Australian WordPress Sites
News

ACSC Warns: ClickFix Campaign Delivers Vidar Stealer via Compromised

May 8, 2026
Mozilla Fixes Record 423 Firefox Bugs Using Claude Mythos AI Pipeline
News

Mozilla Fixes Record 423 Firefox Bugs Using Claude Mythos

May 8, 2026
Oracle Launches Monthly Critical Security Patch Updates to Close Gap Between Quarterly Cycles
News

Oracle Launches Monthly Critical Security Patch Updates to Close

May 6, 2026
India SEBI Issues Mythos AI Red Alert to Financial Sector
News

India SEBI Issues Mythos AI Red Alert to Financial

May 6, 2026
WhatsApp Patches CVE-2026-23863 File Spoofing and CVE-2026-23866 URL Scheme Flaw
News

WhatsApp Patches CVE-2026-23863 File Spoofing and CVE-2026-23866 URL Scheme

May 6, 2026
CVE-2026-29014: MetInfo CMS PHP Injection Exploited in the Wild
News

CVE-2026-29014: MetInfo CMS PHP Injection Exploited in the Wild

May 6, 2026