Ivanti EPMM Zero-Day CVE-2026-6973 Enables Admin-Level Remote Code Execution
Ivanti EPMM is back in the attacker spotlight, and this time the issue is not theoretical.
A newly patched vulnerability in Ivanti Endpoint Manager Mobile allows remote code execution when the attacker already has administrative access. That sounds narrower than an unauthenticated zero-day — but in the Ivanti ecosystem, where stolen credentials and prior exploitation have repeatedly shaped real intrusions, admin-only does not mean low-risk.
What Happened
Ivanti has released security updates for Ivanti Endpoint Manager Mobile, also known as EPMM, addressing multiple high-severity vulnerabilities in the on-premises product.
The most urgent issue is CVE-2026-6973, an improper input validation vulnerability that affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. Successful exploitation allows a remotely authenticated user with administrative access to achieve remote code execution on the targeted appliance.
The flaw carries a CVSS 3.1 score of 7.2, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. In plain terms: it is network reachable, does not require user interaction, and can result in full confidentiality, integrity, and availability impact once an attacker has privileged access.
Limited Exploitation Has Already Been Observed
Ivanti says it is aware of a very limited number of customers exploited through CVE-2026-6973. The company has not reported exploitation of the other EPMM vulnerabilities disclosed in the same May 2026 advisory.
That distinction matters, but it should not create comfort. EPMM sits close to mobile device identity, enrollment, certificates, policy enforcement, and enterprise access flows. A compromised EPMM server is not just another application server; it can become a control point inside the organization’s mobile management layer.
The Centre for Cybersecurity Belgium also warned that successful exploitation could lead to data breaches, system compromise, and operational downtime affecting confidentiality, integrity, and availability.
The Credential Angle Is the Real Story
CVE-2026-6973 requires administrative authentication. Normally, that would reduce urgency compared with unauthenticated remote code execution. In this case, the surrounding context is what changes the risk calculation.
Ivanti has indicated it has a high degree of confidence that administrative credentials used in exploitation came from previous exploitation of CVE-2026-1340, one of the critical EPMM code injection vulnerabilities disclosed in January 2026.
That turns CVE-2026-6973 into a post-compromise weapon. Attackers who already harvested credentials from earlier EPMM intrusions may be able to return, authenticate, and execute code unless organizations patched, investigated, and rotated credentials properly after the January incidents.
Other Vulnerabilities Patched in the Same Update
The May 2026 EPMM update also fixes four additional high-severity issues affecting versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
CVE-2026-5786 is an improper access control vulnerability that could allow a remote authenticated attacker to gain administrative access. It has a CVSS score of 8.8.
CVE-2026-5787 is an improper certificate validation issue that could allow a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. It has a CVSS score of 8.9.
CVE-2026-5788 is an improper access control vulnerability that could allow a remote unauthenticated attacker to invoke arbitrary methods. It has a CVSS score of 7.0.
CVE-2026-7821 is an improper certificate validation vulnerability that affects environments using Apple Device Enrollment. It could allow a remote unauthenticated attacker to unenroll a restricted device and expose information about the EPMM appliance. It has a CVSS score of 7.4.
Affected Products
The issue affects on-premises Ivanti Endpoint Manager Mobile deployments running vulnerable versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
Ivanti says the vulnerabilities are not present in Ivanti Neurons for MDM, the company’s cloud-based unified endpoint management platform. The company also says the issues do not affect Ivanti Endpoint Manager, Ivanti Sentry, or other Ivanti products.
Why Defenders Should Care
The main risk is not only the bug itself. It is the sequence.
Ivanti EPMM has already faced critical exploitation this year, including CVE-2026-1281 and CVE-2026-1340, both code injection flaws that allowed unauthenticated remote code execution and were added to CISA’s Known Exploited Vulnerabilities catalog in January 2026.
That history makes credential hygiene central. An organization may have patched the January vulnerabilities but still remain exposed if attacker-created accounts, stolen admin credentials, web shells, altered configurations, or persistence mechanisms were missed during incident response.
For security teams, this is a reminder that patching an exploited edge-management product is only the first move. The second move is proving the appliance was not already turned into an access broker.
Recommended Action
Organizations running on-prem Ivanti EPMM should upgrade to 12.6.1.1, 12.7.0.1, or 12.8.0.1 as applicable.
Administrators should also review all accounts with administrative rights, rotate credentials where necessary, and treat any EPMM system previously exposed to CVE-2026-1281 or CVE-2026-1340 as higher risk until logs, accounts, certificates, and configuration changes have been reviewed.
Security teams should monitor for suspicious administrative activity, unexpected method invocation, unauthorized certificate activity, unusual device enrollment behavior, changes to Sentry-related trust relationships, and any signs of web-layer persistence on the appliance.
NeuraCyb's Assessment
CVE-2026-6973 is dangerous because it fits into a larger Ivanti intrusion pattern: exploit the edge system, steal or reuse privileged access, then return through a narrower but still powerful path. Defenders should not treat this as an isolated admin-only RCE. They should treat it as a test of whether earlier Ivanti exposure was fully contained — because attackers often remember old credentials longer than organizations remember old incidents.
References
Ivanti: May 2026 Security Advisory for Endpoint Manager Mobile
Centre for Cybersecurity Belgium: Authenticated RCE Vulnerability in Ivanti EPMM Exploited
BleepingComputer: Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks
