Ivanti has released security updates for Ivanti Endpoint Manager Mobile (EPMM) after confirming limited in-the-wild exploitation of CVE-2026-6973, a high-severity remote code execution vulnerability affecting on-premises EPMM deployments.
CVE-2026-6973 is an improper input validation vulnerability that affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation requires a remotely authenticated user with administrative access, but the risk remains significant because EPMM has been repeatedly targeted in previous campaigns and may hold sensitive access to mobile device management infrastructure.
CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog on May 7, 2026, with a remediation due date of May 10, 2026, for U.S. federal civilian agencies.
Threat Overview
The vulnerability only affects on-premises Ivanti EPMM deployments. Ivanti has stated that Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products are not affected.
Although exploitation requires administrator authentication, this does not remove the urgency. Ivanti and government advisories indicate that risk may be higher for organizations previously affected by January 2026 EPMM vulnerabilities, particularly where administrative credentials were not rotated after earlier exploitation activity. The Centre for Cybersecurity Belgium noted that Ivanti has high confidence that credentials used in CVE-2026-6973 exploitation may have originated from prior exploitation of CVE-2026-1340.
Alongside CVE-2026-6973, Ivanti also patched four additional high-severity EPMM vulnerabilities: CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. These issues could allow attackers to gain administrative access, impersonate registered Sentry hosts, invoke arbitrary methods, or access restricted information depending on configuration and exposure.
Impact Assessment
Successful exploitation of CVE-2026-6973 could allow an authenticated attacker with administrative access to execute arbitrary code on affected EPMM servers. In practical terms, this may support further compromise of the EPMM appliance, access to sensitive configuration data, disruption of mobile device management operations, or follow-on activity against managed devices and connected enterprise systems.
Organizations should treat this vulnerability as high priority even where there is no current evidence of compromise.
Recommended Actions
OP Innovate recommends that organizations using Ivanti EPMM take the following actions:
- Apply Ivanti’s security updates immediately
Upgrade affected on-premises EPMM deployments to 12.6.1.1, 12.7.0.1, or 12.8.0.1, depending on the deployed branch. - Review administrative accounts
Audit all EPMM administrator accounts, remove unnecessary privileges, and rotate credentials, especially if the environment may have been affected by previous Ivanti EPMM vulnerabilities. - Restrict administrative access
Limit EPMM administrative interfaces to trusted networks, VPN access, or hardened management segments. Avoid exposing administrative services directly to the internet. - Review logs for suspicious activity
Examine EPMM and web server logs for unusual administrative access, unexpected requests, abnormal authentication patterns, or activity from unfamiliar IP addresses. The originally shared advisory also highlights Apache access logs at /var/log/httpd/https-access_log as a relevant review location. - Hunt for post-exploitation behavior
Look for signs of new or modified admin accounts, unexpected configuration changes, suspicious certificate activity, unusual device enrollment behavior, web shell indicators, outbound connections, or changes to MDM policies. - Validate exposure externally
Confirm whether any EPMM services are internet-facing and reduce exposure where possible. Publicly exposed EPMM appliances should be treated as higher risk until patched and reviewed.
Stay Safe. Stay Secure
OP Innovate Research Team
