Ivanti Confirms Post-Auth RCE in EPMM Under Active Exploitation

Ivanti has warned of targeted attacks exploiting CVE-2026-6973, a post-authentication RCE flaw in on-premise EPMM. The vulnerability, now in CISA’s KEV catalog…

Ivanti Confirms Post-Auth RCE in EPMM Under Active Exploitation
Ivanti EPMM: CVE-2026-6973 RCE Under Active Exploitation

On May 7, 2026, Ivanti confirmed that a vulnerability in its on-premise Endpoint Manager Mobile (EPMM) platform, tracked as CVE-2026-6973, is being targeted in a "very limited" number of real-world attacks. The flaw, described as an improper input validation issue with a CVSS score of 7.2, allows an authenticated remote user with administrative privileges to achieve remote code execution (RCE). The Cybersecurity and Infrastructure Security Agency (CISA) has added the bug to its Known Exploited Vulnerabilities (KEV) catalog, mandating a mitigation deadline of May 10, 2026, for Federal Civilian Executive Branch (FCEB) agencies.

Key Takeaways
  • Active Exploitation: Ivanti acknowledged that a small number of on-premise EPMM customers have been compromised via CVE-2026-6973, an improper input validation vulnerability.
  • Post-Authentication RCE: The attack is not pre-authentication; it requires valid administrative credentials. However, previously compromised passwords or tokens can be used to bypass this barrier.
  • CISA KEV Listing: The flaw was added to the KEV catalog, with a federal remediation deadline set for May 10, 2026.
  • Mitigation Strategy: Organizations that followed Ivanti’s January 2026 recommendation to rotate credentials have significantly lower risk, as the exploit likely relies on previously stolen admin access.

Ivanti Advisory Confirms Active Attacks

In a security advisory released on May 7, Ivanti identified CVE-2026-6973 as an improper input validation vulnerability within the EPMM management interface. As reported by The Hacker News, the company stated it is aware of a very limited number of customers who were compromised through this specific flaw. The high-risk nature of the threat is reflected in its 7.2 CVSS score.

The same bulletin addressed four additional vulnerabilities—CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821—though only CVE-2026-6973 is known to be exploited in the wild at this time. It remains unclear if all observed attacks were successful or what the threat actors' ultimate objectives were; the identity of the attackers has not been disclosed.

Critically, the patches released on May 13 for EPM, Secure Access, vTM, and Xtraction do not cover EPMM and do not resolve the RCE described in this advisory. Administrators of on-premise EPMM must update to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 to secure their systems.

Technical Breakdown: From Input Validation to RCE

The vulnerability stems from insufficient input validation within the EPMM administrative interface. A threat actor who successfully authenticates with administrative privileges can send a specially crafted request to trigger remote code execution on the server. Ivanti’s advisory, as cited by The Hacker News, emphasizes that admin authentication is a prerequisite for exploitation.

While this is not a pre-authentication bypass, the requirement for credentials does not eliminate the risk. Administrative passwords or tokens that have been previously compromised, reused across systems, or exposed via brute-force attacks on public-facing interfaces remain viable vectors for this RCE.

Credential Hygiene: A Critical Defense

A significant aspect of this campaign is its connection to preventive measures issued by Ivanti in January 2026. At that time, the company urged customers to rotate credentials following previous security incidents. According to the advisory, customers who implemented those recommendations are at a significantly lower risk of exploitation for this new CVE.

"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication."

This suggests that the new RCE may be exploited primarily by reusing administrative credentials harvested during prior breaches. There is currently no confirmation of a public exploit, nor is it clear if attackers are using default credentials or brute-force methods. The lack of an authentication bypass mechanism shifts the focus from the software bug itself to overall credential hygiene and the isolation of management interfaces.

CISA KEV Listing and Federal Compliance

CISA has formally added the EPMM improper input validation vulnerability to its Known Exploited Vulnerabilities catalog. This listing triggers a mandatory mitigation requirement for U.S. federal agencies, with a strict deadline of May 10, 2026. For the private sector, the inclusion in the KEV catalog serves as a high-priority warning, signaling that the flaw is being actively leveraged by sophisticated actors.

While CISA's catalog entry may not explicitly list the CVE number in all summaries, the correlation with the EPMM improper input validation flaw is confirmed by Ivanti’s advisory. Private organizations should use the May 10 federal deadline as a benchmark to calibrate their own response based on the criticality of their mobile device management (MDM) infrastructure.

Mitigation and Security Recommendations

Organizations running on-premise Ivanti EPMM must adopt a multi-layered defense. Because the flaw is post-authentication, credential security is paramount, but software updates are the only permanent fix.

Verify Versions and Patch Immediately: Remediation is available in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Organizations on older releases should prioritize these upgrades, as there are no known workarounds to block the RCE without patching.

Rotate All EPMM Admin Credentials: Ensure all administrative passwords are changed, especially if they have been reused or shared. This aligns with the January 2026 guidance and disrupts attack chains that rely on previously leaked credentials.

Isolate Management Interfaces: Restrict access to the EPMM admin interface to internal networks or secure VPN segments. Publicly accessible management endpoints are prime targets for brute-force and credential stuffing attempts.

Audit Authentication Logs: Security teams should review administrative access logs from the past several months to identify anomalous sessions. Prioritize searches for logins from unusual geographic locations or at atypical times that may have preceded the exploitation of CVE-2026-6973.

The emergence of CVE-2026-6973 highlights a recurring trend: attackers frequently exploit new vulnerabilities by leveraging old, stolen credentials. In this case, proactive rotation and network segmentation may be as vital as the patch itself. As long as admin credentials remain the gateway, the line between a past incident and a new compromise remains dangerously thin.

Frequently Asked Questions

Does CVE-2026-6973 affect Ivanti Neurons for MDM (cloud) or EPM?
No. Ivanti has explicitly stated that this vulnerability does not affect Neurons for MDM, Ivanti EPM, or Sentry. The flaw is limited to on-premise EPMM versions prior to the patched releases.
Why is the risk considered high if the attack requires admin authentication?
Because administrative credentials may have already been compromised in earlier attacks, exposed through credential stuffing, or shared across multiple systems. Authentication is not a safeguard if the attacker already possesses valid credentials.
Do the May 13, 2026, patches for Secure Access and vTM fix this RCE?
No. The May 13 bulletins cover separate products—EPM, Secure Access, vTM, and Xtraction—and do not address EPMM or CVE-2026-6973. EPMM requires a specific update to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1.

Information has been verified against cited sources and is current as of the time of publication.

Sources