Ivanti Patches Critical RCE Flaws While Addressing Active EPMM Zero-Day

Ivanti released security updates for Endpoint Manager (EPM), Secure Access, Virtual Traffic Manager (vTM), and Xtraction on May 13, 2026, closing critical gaps that expose infrastructure to remote code execution (RCE) and credential theft. Simultaneously, the vendor confirmed that a zero-day flaw in Endpoint Manager Mobile (EPMM)—CVE-2026-6973, first disclosed on May 7—is already being exploited in the wild. This collision of new patches and active exploitation underscores the mounting pressure on IT teams to contain a rapidly shrinking time-to-exploit window.

May 13 Bulletin: Security Updates for EPM, Secure Access, vTM, and Xtraction

On May 13, 2026, Ivanti issued cumulative updates for four distinct product lines: Endpoint Manager, Secure Access Client, Virtual Traffic Manager, and Xtraction. At the time of disclosure, none of the vulnerabilities in this specific batch were reported as exploited in the wild. Nevertheless, the severity of these flaws—ranging from SQL injections to exposed dangerous methods—makes immediate deployment a priority for security and infrastructure teams.

Available documentation does not explicitly state whether the May 13 updates cover the Endpoint Manager Mobile zero-day (CVE-2026-6973) disclosed on May 7. Current reports treat these as separate security events. Consequently, security teams must verify their EPMM remediation status independently and should not assume that the May EPM or Secure Access updates provide coverage for the mobile component. This management ambiguity often adds friction to already compressed patching cycles.

CVE-2026-8109 and 8111: Analyzing Dual Attack Vectors in Endpoint Manager

Among the vulnerabilities addressed in Endpoint Manager is CVE-2026-8109, located within the RemoteControlAuth module. The flaw stems from an exposed dangerous method that allows an attacker to bypass authentication and disclose credentials stored within the system. This high-impact information disclosure can serve as an initial pivot for lateral movement across the corporate network, effectively bypassing traditional perimeter controls.

The second critical flaw is CVE-2026-8111, a SQL injection vulnerability in the Ivanti EPM web console. An authenticated remote attacker, even one with limited privileges, can exploit this to achieve remote code execution on the target server. Together, these flaws demonstrate how the EPM attack surface offers modular vectors: one focused on identity theft and access escalation, the other on direct code execution. For threat actors, this versatility increases the likelihood of a successful breach even if a single vector is blocked.

CVE-2026-6973: EPMM Zero-Day Under Active Exploitation

On May 7, 2026, Ivanti disclosed CVE-2026-6973, a zero-day vulnerability in Endpoint Manager Mobile that allows an authenticated user with administrative privileges to achieve remote code execution. Unlike the May 13 patches, this flaw is confirmed to be under active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) added it to the KEV catalog shortly after disclosure, signaling a concrete risk for any internet-exposed EPMM infrastructure.

Ivanti stated it is aware of "very limited exploitation" but has not provided specific attribution to threat groups or the exact number of victims. While the date of the first observed exploit remains unspecified, the speed of CISA’s intervention and the nature of authenticated RCE dictate that this threat be treated with maximum priority, despite the lack of public detail regarding the scope of the attacks.

Recent history provides little room for optimism. According to reporting by CyberScoop, at least 22 Ivanti product defects have been exploited in the last two years, and at least 34 of the vendor's vulnerabilities have appeared in the KEV catalog since late 2021. This trend places Ivanti among the most frequent targets for both nation-state actors and ransomware groups, making every new advisory a significant alarm for CISOs.

"At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement"

AI Red Teaming vs. Time-to-Exploit: The Gap Between Strategy and Reality

Ivanti has publicly shared its integration of LLM models into red team workflows, aiming to discover vulnerabilities that traditional SAST and DAST tools overlook. The goal is to outpace adversaries by reducing the time defects remain in code before production. However, current events highlight a problematic coexistence: a security cycle that touts AI-driven proactive research is simultaneously confirming new active zero-days and publishing further RCE vulnerabilities within days.

Data is insufficient to determine how many of the May 13 patches were identified via LLMs, or if AI-assisted red teaming has effectively accelerated the disclosure process. What remains clear is that the time-to-exploit—the window between a vulnerability's publication and its operational use by attackers—continues to be shorter than the average organization’s ability to remediate. In this landscape, AI initiatives may be viewed as a technological reassurance rather than a measurable operational guarantee for customers.

Remediation Strategy

• Immediately apply the May 13, 2026, patches for Endpoint Manager, Secure Access, vTM, and Xtraction, prioritizing assets on network segments without strict firewall protections.
• Isolate or intensely monitor Ivanti Endpoint Manager Mobile assets. Verify logs for suspicious administrative access and anomalous authentication attempts given the confirmed exploitation of CVE-2026-6973.
• Rotate credentials stored within Ivanti EPM, specifically focusing on the RemoteControlAuth module, to mitigate the risk of unauthorized disclosure linked to CVE-2026-8109.
• Review network segregation and administrative privileges for EPM and EPMM. Limit access to authorized IPs and implement multi-factor authentication to hinder lateral movement following an initial compromise.

The challenges surrounding Ivanti products have evolved from technical defects to broader operational and management risks. When an endpoint management vendor releases patches for RCE and credential theft in the same cycle as a confirmed active zero-day, the focus shifts from individual flaws to the resilience of the entire process. Organizations can no longer treat these updates as routine maintenance; patch management must be prioritized alongside credential rotation and network segmentation. As long as the time-to-exploit remains shorter than the time-to-patch, security rests entirely on the speed of internal response teams.

Frequently Asked Questions

Do the May 13, 2026, patches resolve the EPMM zero-day (CVE-2026-6973)?

This is not confirmed by available sources. The May batch advisory focuses on EPM, Secure Access, vTM, and Xtraction, while CVE-2026-6973 was disclosed on May 7 as a separate zero-day.

Does CVE-2026-8109 allow for remote code execution?

No. Based on available analysis, the vulnerability in the RemoteControlAuth module allows for authentication bypass and the disclosure of stored credentials, but not direct code execution.

Is there an attribution for the attacks exploiting CVE-2026-6973?

No specific attribution has been provided for the exploitation of this vulnerability. Ivanti confirmed limited exploitation without identifying specific threat actors.

Information verified against cited sources and current as of the time of publication.

Sources

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://www.systemtek.co.uk/2026/05/ivanti-endpoint-manager-remotecontrolauth-exposed-dangerous-method-information-disclosure-vulnerability-cve-2026-8109/
• https://cybersecuritynews.com/ivanti-patches-multiple-vulnerabilities/
• https://cyberscoop.com/ivanti-epmm-zero-day-vulnerability-exploited/