Ivanti disclosed five new vulnerabilities in Endpoint Manager Mobile (EPMM) on May 6, one of which — CVE-2026-6973 — was already being exploited as a zero-day against a “very limited number of customers.” CISA added the bug to its Known Exploited Vulnerabilities catalog the next day and ordered Federal Civilian Executive Branch agencies to patch by May 10, 2026. That deadline expired yesterday. If your EPMM appliance is still on a vulnerable release, you are now operating past CISA’s compliance window with an actively weaponized RCE chain in your fleet management plane.

What the bug is

CVE-2026-6973 is an improper input validation flaw (CWE-20) in EPMM that lets a remotely authenticated user with administrative access execute arbitrary code on the appliance. CVSS is 7.2, which understates the operational damage: EPMM is the device-management brain for an enterprise’s mobile fleet, sitting at the trust boundary between corporate identity (typically AD/Entra) and tens of thousands of managed iOS and Android endpoints. Code execution on EPMM means code execution on the system that pushes policy, certificates, VPN profiles, and configuration payloads to every phone and tablet in the organization.

Ivanti’s bulletin discloses four sibling CVEs patched in the same release:

  • CVE-2026-5786 (CVSS 8.8) — improper access control granting administrative escalation to an authenticated remote attacker
  • CVE-2026-5787 and CVE-2026-5788 — additional access control and input handling flaws
  • CVE-2026-7821 (CVSS 7.4) — improper certificate validation allowing an unauthenticated attacker to enroll a device against a restricted-set EPMM appliance, leaking appliance metadata and forging device identity

Chained together, CVE-2026-7821 plus CVE-2026-5786 give an unauthenticated attacker a plausible path into the admin context that CVE-2026-6973 then turns into code execution. Ivanti says it has only seen 6973 exploited so far, but the rest of the set is now well-documented prerequisites for a full unauthenticated chain — expect public PoCs within days.

Affected versions

The vulnerability is in the on-premises EPMM product only:

  • All versions before 12.6.1.1
  • All versions before 12.7.0.1
  • All versions before 12.8.0.1

Not affected: Ivanti Neurons for MDM (the cloud-hosted SaaS product), Ivanti EPM (the unrelated PC management product), Ivanti Sentry, and other Ivanti products. If you don’t operate the on-premises appliance, you are not in scope for this bulletin.

Exploitation in the wild

Ivanti has not attributed the limited exploitation to a known actor or named a campaign, and has not publicly stated whether the observed attacks succeeded or what the attackers were after. Ivanti EPMM appliances have a long history as a target — CVE-2026-1281 and CVE-2026-1340 earlier this year, and the MobileIron Core lineage going back to CVE-2023-35078 — and have repeatedly been used as initial-access footholds by Chinese APTs and ransomware affiliates. The MDM control plane is a high-value target precisely because it sits below the endpoint and outside most EDR coverage.

If you have an EPMM web admin interface reachable from the public internet, treat it as a presumed-compromise candidate. CVE-2026-6973 requires authenticated admin access, but admin credentials for EPMM are routinely targeted by infostealers and adversary-in-the-middle phishing kits.

What to do right now

Patch to one of the fixed versions immediately:

  • 12.6.1.1 (12.6.x branch)
  • 12.7.0.1 (12.7.x branch)
  • 12.8.0.1 (12.8.x branch)

If you cannot patch in the next 24 hours, restrict access to the admin portal to your management VLAN or VPN only, enforce MFA on all admin accounts (Ivanti supports SAML/OIDC), and review the appliance’s admin audit log for any unfamiliar sessions or API calls in the past three weeks. Look for unexpected admin/rest/api calls, command shell invocations from the appliance, and any new local admin accounts.

Federal agencies that missed the May 10 deadline should be reporting status to CISA under BOD 22-01. Private-sector orgs subject to FedRAMP, StateRAMP, or DoD CMMC obligations should expect their assessors to ask for evidence that EPMM was patched within the KEV window.

Sources