Ivanti EPMM RCE CVE-2026-6973 exploited in limited attacks
Ivanti warns CVE-2026-6973 in on-prem Endpoint Manager Mobile has been exploited in limited attacks and can allow remote code execution by an admin-level user.
Ivanti published an advisory reporting that a high-severity flaw, tracked as CVE-2026-6973, has been exploited in a limited number of attacks against on-premises Endpoint Manager Mobile (EPMM). The vulnerability affects EPMM versions prior to 12.6.1.1, 12.7.0.1 and 12.8.0.1 and requires a remotely authenticated user with administrative credentials to execute code on the appliance.
The company said it is aware of a very small number of customers that experienced exploitation and did not identify who carried out the activity or whether initial access led to broader compromises. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog, obligating Federal Civilian Executive Branch agencies to apply fixes by May 10, 2026.
| CVE Number | Description | CVSS Score (Severity) | CVSS Vector | CWE |
| CVE-2026-5786 | An Improper Access Control vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote authenticated attacker to gain administrative access. | 8.8 (High) | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | CWE-284 |
| CVE-2026-5787 | An Improper Certificate Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. | 8.9 (High) | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L | CWE-295 |
| CVE-2026-5788 | An Improper Access Control in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to invoke arbitrary methods | 7.0 (High) | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L | CWE-284 |
| CVE-2026-6973 | An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. | 7.2 (High) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-20 |
| CVE-2026-7821 | Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of the newly enrolled device identity. | 7.4 (High) | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | CWE-295, CWE-306 |
Ivanti also issued patches for four other vulnerabilities in on-prem EPMM. CVE-2026-5786 (CVSS 8.8) is an improper access control issue that can allow a remote authenticated attacker to gain administrative access. CVE-2026-5787 (CVSS 8.9) involves improper certificate validation that could let an unauthenticated actor impersonate registered Sentry hosts and obtain CA-signed client certificates. CVE-2026-5788 (CVSS 7.0) is another improper access control flaw that may permit an unauthenticated actor to invoke arbitrary methods. CVE-2026-7821 (CVSS 7.4) is an improper certificate validation weakness that could allow enrollment of certain unenrolled devices and disclose information about the EPMM appliance.
Ivanti noted that successful exploitation of CVE-2026-6973 requires administrative authentication and referenced prior guidance recommending credential rotation after earlier incidents tied to CVE-2026-1281 and CVE-2026-1340. Customers who rotated credentials in response to that guidance face a significantly reduced risk from the new vulnerability.
The advisory clarifies that the issues affect only the on-premises EPMM product and are not present in Ivanti Neurons for MDM, Ivanti EPM (a different product), Ivanti Sentry, or other Ivanti offerings. Ivanti urged customers running on-prem EPMM to apply the available patches and review administrative account security.
“We are aware of a very limited number of customers exploited with CVE-2026-6973,” the advisory states.
Organizations operating on-prem EPMM should verify their software versions, install Ivanti’s updates, and review admin credentials to limit exposure to these flaws.
