Skip to content

Security Sense

AI Threat Intelligence

  • About
  • Blog
  • Privacy Policy

CVE-2026-6973: Remote Code Execution in Ivanti EPMM

Posted on May 15, 2026 by Kyle

Overview

CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that permits remote code execution. This flaw affects specific versions of EPMM and requires prior administrative authentication for exploitation. Its inclusion in CISA’s KEV catalog signifies active exploitation in the wild, making immediate patching critical for organizations utilizing Ivanti EPMM.

Technical Analysis

  • Vulnerability: Improper Input Validation (CWE-20).
  • Impact: Remote Code Execution (RCE).
  • Affected Products: The vulnerability affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
    • ivanti endpoint_manager_mobile < 12.6.1.1
    • ivanti endpoint_manager_mobile 12.7.0.0
    • ivanti endpoint_manager_mobile 12.8.0.0
  • Attack Vector: Network-based (AV:N).
  • Prerequisites: Requires a remotely authenticated user with administrative access (PR:H).
  • CVSS 3.1 Score: 7.2 (HIGH) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Detection

  • Monitor Ivanti EPMM logs for unusual administrative activity, especially related to configuration changes, unexpected process spawns, or command execution attempts.
  • Look for outbound network connections from the EPMM appliance to unknown or suspicious external IP addresses.
  • Review system logs for signs of unauthorized file modifications or new user account creation on the EPMM server.
  • No specific Sigma or YARA rules are publicly available for this CVE at the time of writing.

Mitigations

  1. Apply the latest security patches immediately. Ivanti has released fixes in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
  2. Ensure all administrative accounts for Ivanti EPMM utilize strong, unique passwords and multi-factor authentication (MFA).
  3. Restrict network access to the Ivanti EPMM administrative interface to only trusted IP ranges and necessary personnel.
  4. Regularly audit administrative user activity and system logs for anomalies.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-6973
  • https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973
  • https://ltna.com.au/cyber

Indicators of Compromise

No public IOCs available at time of writing.

🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,397 input / 899 output tokens ·
Reviewed and approved by a human analyst before publication

Post navigation

WordPress Funnel Builder Plugin Vulnerability Actively Exploited for Credit Card Theft
CVE-2026-42208: Critical SQL Injection in BerriAI LiteLLM AI Gateway

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: micro, developed by DevriX.