Ivanti confirms limited active exploitation of CVE-2026-6973, a 7.2 CVSS RCE flaw in on-prem Endpoint Manager Mobile, as CISA adds the vulnerability to its KEV catalog with a May 10, 2026 patch deadline for federal agencies.
Ivanti has confirmed active exploitation of a high-severity remote code execution (RCE) vulnerability in its on-premises Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-6973, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog this week. The flaw carries a CVSS score of 7.2 and allows remotely authenticated administrative users to execute arbitrary code on affected appliances.
The vulnerability stems from improper input validation in EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti noted in its advisory for Endpoint Manager Mobile that exploitation has been observed in a very limited number of customer environments. Successful attacks require valid administrative credentials, and the company emphasized that organizations that rotated credentials in January 2026 following previous compromises via CVE-2026-1281 and CVE-2026-1340 face significantly lower risk of exploitation.
CISA’s addition of CVE-2026-6973 to the KEV catalog mandates that all Federal Civilian Executive Branch (FCEB) agencies apply available patches by May 10, 2026. This deadline aligns with CISA’s standard practice of requiring federal agencies to remediate actively exploited flaws within three weeks of KEV addition. Ivanti has not yet shared details on the actors behind the limited attacks, whether the attempts were successful, or what end goals the attackers may have pursued.
Affected organizations should first confirm their deployment model, as the flaw only impacts on-premises EPMM instances. Ivanti clarified that the cloud-based Ivanti Neurons for MDM unified endpoint management solution, the separately branded Ivanti EPM, Ivanti Sentry, and all other Ivanti products are not affected by CVE-2026-6973 or the four additional flaws patched alongside it.
Those four additional vulnerabilities, all fixed in the same EPMM updates, include two high-severity access control flaws and two certificate validation issues. CVE-2026-5786 (CVSS 8.8) is an improper access control vulnerability that lets remote authenticated attackers escalate to administrative access without additional privileges. CVE-2026-5788 (CVSS 7.0) is another access control flaw that allows remote unauthenticated attackers to invoke arbitrary methods on the EPMM appliance.
The two certificate validation flaws carry higher CVSS scores. CVE-2026-5787 (CVSS 8.9) lets remote unauthenticated attackers impersonate registered Sentry hosts to obtain valid CA-signed client certificates, which could be used to access internal network resources. CVE-2026-7821 (CVSS 7.4) allows remote unauthenticated attackers to enroll devices that are part of a restricted, unenrolled set, leading to information disclosure about the EPMM appliance and compromising the integrity of the newly enrolled device identity.
IT teams managing on-prem EPMM instances should take immediate action to reduce risk. First, check the current EPMM version: if it is older than 12.6.1.1, 12.7.0.1, or 12.8.0.1, apply the latest patches as soon as possible. FCEB agencies must meet the May 10, 2026 deadline to comply with CISA requirements.
Organizations that experienced compromises via CVE-2026-1281 or CVE-2026-1340 should verify that all administrative credentials were rotated as recommended in January 2026. Since CVE-2026-6973 requires admin authentication to exploit, auditing admin account activity logs for unexpected login locations, times, or actions can help identify potential compromise.
For the certificate validation flaws, review Sentry host logs for unauthorized impersonation attempts and check client certificate stores for any unrecognized CA-signed certificates. Teams should also audit device enrollment logs for any devices added outside of standard provisioning workflows, which could indicate exploitation of CVE-2026-7821. Unauthenticated access to arbitrary methods via CVE-2026-5788 may leave traces in EPMM application logs, so reviewing those for unexpected method calls is also recommended.
Ivanti has not released indicators of compromise specific to CVE-2026-6973 exploitation, but teams can reference previous advisories for CVE-2026-1281 and CVE-2026-1340 to check for persistent access mechanisms that could be reused for this new flaw. Organizations that suspect compromise should contact Ivanti support and report incidents to CISA via its incident reporting portal.
Comments
Please log in or register to join the discussion