Ivanti EPMM CVE-2026-6973

Ivanti’s May 7 security update for Endpoint Manager Mobile turned a sparse CVE entry into a priority issue for defenders because the company said CVE-2026-6973 had already been exploited against a limited number of customers. The flaw is an improper input-validation bug in Ivanti EPMM, the company’s mobile device management product for provisioning, policy enforcement and device administration. (hub.ivanti.com) NIST’s National Vulnerability Database says the issue can let a remotely authenticated user with administrative access achieve remote code execution on unpatched systems. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog the same day, putting it in the small subset of bugs with confirmed in-the-wild abuse. (nvd.nist.gov) ### What, exactly, is CVE-2026-6973? CVE-2026-6973 is described by NVD as an improper input-validation vulnerability in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1 and 12.8.0.1. NVD says successful exploitation can allow remote code execution, but only for a user who is already authenticated and has administrative access. Ivanti’s own May advisory grouped CVE-2026-6973 with four other high-severity EPMM flaws. The company said the vulnerable product is Ivanti Endpoint Manager Mobile, formerly one of the core on-premises tools enterprises use to enroll phones and tablets, push configurations, enforce policy and manage device posture. (hub.ivanti.com) ### Why did this one get more attention than a routine patch note? May 7 is the critical date because Ivanti said it was “aware of a very limited number of customers exploited” with CVE-2026-6973. That disclosure moved the bug out of the category of theoretical exposure and into active incident response for organizations running EPMM on premises. (nvd.nist.gov) CISA’s KEV addition reinforced that urgency. The agency says the KEV catalog is the authoritative list of vulnerabilities known to have been exploited in the wild and that organizations should use it as an input to prioritization. (hub.ivanti.com) ### How serious is it if admin access is required? Administrative access is the limiting condition, but not a reason to dismiss the flaw. NVD’s description still ends with remote code execution, which means an attacker who already has an admin foothold could use the bug to run code on the management server itself. Ivanti tied that risk to earlier EPMM incidents. The company said customers who followed its January recommendation to rotate credentials after exploitation of CVE-2026-1281 and CVE-2026-1340 would have significantly reduced risk from CVE-2026-6973. (hub.ivanti.com) That links the May issue to a practical concern: stale privileged credentials on a management platform. (cisa.gov) ### Why do defenders treat MDM and EMM bugs as high-priority systems issues? Endpoint Manager Mobile sits in a control layer. EPMM is used to provision devices, apply security settings, manage enrollment and enforce enterprise policy across fleets of mobile endpoints, according to Ivanti’s product and advisory descriptions. (nvd.nist.gov) A flaw in that layer affects more than one handset or tablet; it affects the system that tells many devices what to do. That is why the operational response is usually broader than patching one server. Ivanti recommended customers review accounts with admin rights and rotate those credentials where necessary, in addition to applying the update. (hub.ivanti.com) ### What should organizations look for next? The patched versions are 12.6.1.1, 12.7.0.1 and 12.8.0.1, according to NVD and Ivanti. Organizations still running earlier releases should be checking whether their EPMM deployment is on premises, whether admin credentials were rotated after the January EPMM bugs, and whether the asset is now tracked internally as a KEV-listed vulnerability. (hub.ivanti.com) CISA’s KEV catalog remains the public reference point for follow-up status, and Ivanti’s May 2026 EPMM advisory carries the vendor remediation details and version guidance defenders will need for the next patch cycle. (hub.ivanti.com)