Ivanti has disclosed and patched CVE-2026-6973, a remote code execution (RCE — the ability for an attacker to run arbitrary commands on a target system) vulnerability in Ivanti Endpoint Manager Mobile (EPMM — Ivanti's mobile device management platform used by enterprises and government agencies to manage and secure smartphones, tablets, and laptops) that is being actively exploited in zero-day attacks. The flaw stems from insufficient input validation and allows attackers with administrative credentials to execute arbitrary code on the server. Patches are available now in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1; Shadowserver tracked more than 850 internet-exposed EPMM deployments globally as of this week, each representing a potential target.
CVE-2026-6973: Technical Details
CVE-2026-6973 is classified as an improper input validation vulnerability — a category of bug where software accepts input without adequately checking that it conforms to expected formats, lengths, or values. In EPMM's case, attackers can supply specially crafted requests to an administrative interface, causing the underlying application to interpret malicious data as executable instructions — a code injection technique.
CVSS (Common Vulnerability Scoring System) details have not been publicly stated for CVE-2026-6973 at time of writing. Ivanti characterizes the vulnerability as "high-severity." The exploitation requirement of administrative authentication (an attacker must have valid admin credentials to the EPMM console before exploitation becomes possible) distinguishes this vulnerability from fully unauthenticated RCE flaws like Ivanti's earlier CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8, discovered and exploited in January 2026). The admin-auth prerequisite meaningfully reduces the attack surface compared to those earlier vulnerabilities, but does not eliminate risk: credential theft, phishing of admin accounts, and credential reuse from prior breaches are all realistic paths to admin access on an EPMM deployment.
The vulnerability affects only on-premises EPMM deployments. Cloud-based Ivanti Neurons for MDM and other Ivanti cloud products are not affected. This distinction matters: many enterprises that have migrated to cloud-based MDM are not exposed, but organizations retaining on-premises EPMM — common in government, healthcare, and highly regulated industries — are at risk.
Ivanti released patches for CVE-2026-6973 as part of a broader security update that also addresses four additional high-severity vulnerabilities in EPMM. The full list of co-patched issues has not been publicly detailed at time of writing, but their co-release with a zero-day patch underscores the importance of this update.
Exploitation Status and Threat Landscape
Ivanti confirmed in its advisory that exploitation of CVE-2026-6973 has been observed: "At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973." The qualifier "very limited" is consistent with early-stage zero-day exploitation — attackers with knowledge of the vulnerability targeting specific high-value systems before broader exploitation capability diffuses across the threat actor ecosystem.
This pattern — initial limited exploitation expanding rapidly after public disclosure — has played out repeatedly with Ivanti vulnerabilities. CVE-2026-1281 and CVE-2026-1340 saw exploitation spread globally within days of their January 2026 disclosure, with GreyNoise recording 417 exploitation sessions in a single nine-day period. Ivanti's EPMM product has been the subject of sustained attacker interest since 2023 (when CVE-2023-35078 and CVE-2023-35082 were exploited by nation-state actors including Norwegian government attackers), making it a known and actively targeted platform.
Shadowserver (a non-profit security organization that conducts internet-wide scanning and operates a threat intelligence sharing platform) has scanned the public internet and identified more than 850 EPMM deployments accessible from the internet, with the majority concentrated in Europe (508 instances) and North America (182 instances). Each of these is a potential target for attackers who either already have admin credentials or can obtain them through phishing or credential stuffing.
Who Is Affected
All on-premises EPMM deployments running version 12.8.0.0 or earlier are affected by CVE-2026-6973. This encompasses EPMM 12.5.x, 12.6.x, 12.7.x, and 12.8.0.0.
Organizations most likely to be running on-premises EPMM include:
- Government agencies: Federal, state, and local government entities that manage large fleets of employee mobile devices
- Healthcare organizations: Hospitals and health systems managing clinical mobile devices under strict data sovereignty requirements
- Financial services: Banks and insurers with regulatory requirements that limit cloud data processing
- Defense contractors: Organizations handling controlled unclassified information (CUI) or classified data on mobile endpoints
Ivanti EPMM (formerly MobileIron Core) has a substantial government customer base — it was used by the Norwegian government at the time of the 2023 zero-day exploits. This makes CVE-2026-6973 particularly relevant for public sector security teams.
What You Should Do Right Now
- Upgrade EPMM immediately to one of the patched versions:
- EPMM 12.6 → upgrade to 12.6.1.1
- EPMM 12.7 → upgrade to 12.7.0.1
- EPMM 12.8 → upgrade to 12.8.0.1
Download from the Ivanti customer portal using your support credentials.
- Audit administrative accounts: Before applying the patch, review all EPMM administrator accounts. Remove any accounts that should not have admin access, reset passwords for all active admin accounts, and enable multi-factor authentication (MFA — requiring a second verification factor beyond a password, such as a time-based code or push notification) on the admin console if not already enforced.
- Review EPMM access logs for evidence of exploitation: Look for unusual admin logins (unexpected IP addresses, off-hours access, service account logins), API calls with unusual payloads, and unexpected configuration changes in the days and weeks preceding this disclosure.
- Remove internet exposure where possible: If your EPMM deployment is accessible from the internet, evaluate whether that access is necessary. Restricting administrative console access to VPN or trusted network segments eliminates the ability to exploit this vulnerability remotely without prior network access.
- Monitor for Ivanti's updated security advisories: Ivanti is expected to release additional detail on the four co-patched high-severity vulnerabilities. Ensure you are subscribed to Ivanti security advisories.
Background: Understanding the Risk
Ivanti's EPMM product has had a troubled recent security history, and CVE-2026-6973 continues a pattern that security teams managing Ivanti deployments should understand at a structural level. The product manages mobile devices at scale — including the credentials, certificates, and VPN configurations stored on those devices. Compromising EPMM doesn't just affect the server itself; it provides a platform to compromise every managed endpoint and potentially to pivot into corporate networks through the management channel.
The history of EPMM exploitation includes:
- CVE-2023-35078 and CVE-2023-35082 (July 2023): Auth-bypass and path traversal zero-days exploited by nation-state actors to compromise Norwegian government ministries
- CVE-2026-1281 and CVE-2026-1340 (January 2026): Unauthenticated RCE zero-days (CVSS 9.8) exploited in the wild before patches were available, with CISA KEV inclusion and exploitation attempts traced to bulletproof hosting infrastructure
This track record means that unpatched EPMM servers are a known, recurring target for sophisticated threat actors — not a theoretical risk. Organizations running Ivanti products should subscribe to Ivanti's security advisories and establish fast-track patching procedures for this vendor specifically.
The admin-auth requirement in CVE-2026-6973 is a partial mitigation compared to earlier unauthenticated vulnerabilities, but it should not create false comfort. Admin credential compromise is a well-established initial access vector, and EPMM admin portals that are internet-exposed without MFA represent a realistic credential-theft-to-exploitation chain.
Conclusion
CVE-2026-6973 is an actively exploited RCE zero-day in Ivanti EPMM affecting all versions up to 12.8.0.0. Patches are available now for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. With 850+ EPMM servers publicly exposed and Ivanti's history of sustained nation-state attacker interest, organizations should apply this patch as an emergency — and audit admin credentials and access logs before doing so.
For any query contact us at contact@cipherssecurity.com
