What is CVE-2026-6973?
CVE-2026-6973 is a high-severity improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows a remotely authenticated user with administrative access to achieve remote code execution on the appliance. Ivanti assigned the issue a CVSS score of 7.2 (High).
The flaw affects on-prem EPMM only. Ivanti Neurons for MDM (the cloud-based unified endpoint management product), Ivanti EPM (a separately named endpoint management product line), and Ivanti Sentry are not in scope for this CVE.
CVE-2026-6973 was disclosed on May 7, 2026. Ivanti has confirmed exploitation against a limited number of customers, and CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of May 10, 2026.
Why this matters even though it requires admin authentication
The admin precondition does not make this issue safe to deprioritize. EPMM sits in a privileged position in most environments. It manages mobile device policies, controls enrollment workflows, and frequently integrates with identity systems such as SSO and LDAP. Code execution on the EPMM appliance gives an attacker a foothold in a system where sensitive configuration and identity integrations live, and where lateral movement into the broader identity plane is a realistic next step.
Ivanti has stated that customers who rotated administrative credentials following its January 2026 guidance for CVE-2026-1281 and CVE-2026-1340 have significantly reduced risk from CVE-2026-6973. That guidance implicitly points to the realistic exploitation path: stolen or reused admin credentials rather than an unauthenticated remote attack. Any environment where EPMM admin credentials have not been rotated in 2026 should treat this CVE as effectively unauthenticated for the purposes of prioritization.
What we know about exploitation
Ivanti reports a very limited number of customers have been affected. Public reporting has not identified the threat actor, the exploitation chain, or the post-exploitation objectives. No reliable atomic indicators of compromise have been published, and no public proof-of-concept exploit code is available at the time of writing.
CISA's three-day federal remediation window is a strong prioritization signal. Internet-wide scanning data indicates more than 800 EPMM instances were reachable from the public internet as of May 7, 2026, with the majority concentrated in Europe and North America.
Reachability is not the same as exploitation, but it defines the population of appliances where credential compromise could translate directly into RCE.
Are fixes available?
Yes. Ivanti has released fixes in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Any on-prem EPMM instance running 12.8.0.0 or earlier on the affected branches is vulnerable until upgraded.
Customers who have not rotated EPMM admin credentials since the January 2026 advisory should treat that as part of the remediation, not a separate task. The credential rotation is what Ivanti itself names as the factor that reduces risk from this CVE.
Defenders should verify directly with Ivanti rather than assuming an environment is covered by an earlier patch.
Are there any other recommended actions to take?
Beyond patching, defenders should rotate all EPMM administrative credentials, restrict the admin interface to trusted management networks where feasible, review application and system logs for unauthorized administrative activity, and audit recent changes to device policies, enrollment settings, and administrative role assignments. Unexpected configuration edits tied to SSO or LDAP integrations and unusual outbound connections from the appliance are reasonable indicators to monitor against a known baseline.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-6973 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
