Ivanti has published a security advisory for CVE-2026-6973, a remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) — the mobile device management platform formerly known as MobileIron Core. CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalogue on 7 May 2026, following confirmation of limited exploitation in the wild. Federal Civilian Executive Branch agencies must remediate by the applicable KEV deadline.
Vulnerability Details
CVE-2026-6973 affects EPMM’s administrator API interface. An authenticated attacker with administrator-level access to the EPMM management console can exploit a server-side code injection vulnerability to execute arbitrary commands on the underlying operating system with the privileges of the EPMM service account. The CVSS score is 7.2, reflecting the authentication requirement.
While the CVSS score is moderate, the practical exploitation risk is elevated by EPMM’s history and the profile of exploitation activity confirmed by CISA. Ivanti EPMM has experienced multiple critical vulnerabilities that were exploited by sophisticated threat actors targeting government and critical infrastructure:
- CVE-2023-35078 (2023): Authentication bypass affecting Norwegian government systems, exploited before patch availability
- CVE-2026-1281 and CVE-2026-1340 (2026): Authentication bypass chain disclosed earlier this year and included in the EPMM advisory series
The pattern of sustained adversarial interest in EPMM warrants treating CVE-2026-6973 as high priority regardless of the CVSS score.
Affected Versions
EPMM versions prior to:
- 12.6.1.1
- 12.7.0.1
- 12.8.0.1
Note: Ivanti’s advisory also includes CVE-2026-6974 (medium severity, information disclosure) and CVE-2026-6975 (medium severity, SSRF in the same advisory bundle). Apply the full patch to resolve all three.
Remediation
Apply the patch by upgrading to the applicable fixed version via the standard EPMM upgrade procedure. Ivanti’s upgrade documentation is available on the Ivanti customer portal.
Log review: Following patch application, review EPMM administrator API logs for the period prior to patching. Look for:
- Authentication events from unexpected IP addresses or geographic locations
- API calls to endpoint management functions (device enrollment, profile deployment, application management) at unusual times or from unexpected administrator accounts
- Any configuration changes to EPMM security settings or administrator account permissions
MFA on EPMM administrator access: If EPMM administrator access is not protected by MFA, configure it. The authentication requirement for CVE-2026-6973 means that any attacker exploiting this vulnerability first needs valid EPMM administrator credentials — MFA significantly raises the bar for that first step.
Network access restriction: EPMM’s administrator management interface should not be directly internet-accessible. Restrict access to management network IP ranges or require VPN for administrator access. Only the device enrollment and MDM communication endpoints need external accessibility.
EPMM’s Ongoing Vulnerability Pattern
CVE-2026-6973 is the fourth significant EPMM vulnerability to be actively exploited since 2023. The platform’s sustained presence in CISA KEV — and the consistent pattern of exploitation by nation-state actors targeting government deployments — makes EPMM one of the highest-priority patching obligations for any government agency or government-adjacent organisation that has it deployed.
Organisations that have not evaluated whether EPMM can be replaced with an alternative MDM platform for which there is less active adversarial targeting should consider doing so as part of their long-term security architecture planning.
Share this article