Summary

CVE-2026-6973 is a high-severity vulnerability (CVSS 7.2) affecting Ivanti Endpoint Manager Mobile (EPMM) that allows remote code execution (RCE) for authenticated administrative users. Ivanti has confirmed that this flaw is being actively exploited in a very limited number of customer environments. Successful exploitation requires valid administrative credentials. Given the confirmed active exploitation and the potential for complete system compromise, CISA has issued an emergency directive mandating that all affected federal organizations apply the necessary patches by 10 May 2026. No public exploit code is available at time of writing.

Affected Systems and/or Applications

Ivanti Endpoint Manager Mobile (EPMM) - Versions prior to 12.6.1.1 - Versions prior to 12.7.0.1 - Versions prior to 12.8.0.1

Only Ivanti's EPMM product is affected; Ivanti Neurons for MDM, Ivanti EPM (similar name, different product), and other Ivanti products are unaffected.

Technical Details

While Ivanti has confirmed that this vulnerability is actively being exploited in the wild, the observed campaigns remain highly targeted and limited in scope. The requirement for valid administrative credentials strongly suggests that threat actors are leveraging previously compromised accounts or chaining this flaw with undisclosed authentication bypass mechanisms. If customers previously rotated credentials following recommendations from January 2026 regarding CVE-2026-1281 and CVE-2026-1340, the risk of exploitation from CVE-2026-6973 is significantly reduced. Specific exploitation payloads, the exact vulnerable endpoints, and the identity/identities of the threat actors have not been publicly disclosed and/or are not currently known.

On the same day, Ivanti patched four additional high-severity EPMM vulnerabilities:

• CVE-2026-5786 (allows a remote authenticated attacker to gain administrative access)
• CVE-2026-5787 (allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates)
• CVE-2026-5788 (allows a remote unauthenticated attacker to invoke arbitrary methods)
• CVE-2026-7821 (allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity)

While Ivanti has reported no evidence that these four vulnerabilities are being exploited in the wild, they could allow attackers to gain administrative access or sensitive information, which may serve to eliminate the initial admin credential prerequisite for successful exploitation of CVE-2026-6973.

Mitigation

• Upgrade Ivanti EPMM to version 12.6.1.1, 12.7.0.1, 12.8.0.1, or a later release immediately. Ivanti strongly encourages prompt patching.
• Rotate all administrative credentials for EPMM immediately, especially if they were not rotated following the January 2026 recommendations for CVE-2026-1281 and CVE-2026-1340.
• Review application and system logs for unauthorized administrative activity or signs of compromise.

What the Cyber Fusion Center is Doing

The CFC is monitoring the situation and this advisory will be updated if required.

Qualys ID: 734188

References

• May 2026 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (Multiple CVEs)
• Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
• May 2026 EPMM Security Update | Ivanti
• Ivanti warns of new EPMM flaw exploited in zero-day attacks

‍