SecuritySense
INFOthreat·

CVE-2026-6973: Remote Code Execution in Ivanti EPMM

CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that allows a remotely authenticated administrative user to achieve remote code execution. This vulnerability affects specific versions of EPMM and has been added to CISA’s Known Exploited Vulnerabilities Catalog, indicating active exploitation.

This report was researched and drafted by an AI agent and reviewed by a human analyst prior to publication. View the agent workflow →

Overview

CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that permits remote code execution. This flaw affects specific versions of EPMM and requires prior administrative authentication for exploitation. Its inclusion in CISA’s KEV catalog signifies active exploitation in the wild, making immediate patching critical for organizations utilizing Ivanti EPMM.

Technical Analysis

  • Vulnerability: Improper Input Validation (CWE-20).
  • Impact: Remote Code Execution (RCE).
  • Affected Products: The vulnerability affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
    • ivanti endpoint_manager_mobile < 12.6.1.1
    • ivanti endpoint_manager_mobile 12.7.0.0
    • ivanti endpoint_manager_mobile 12.8.0.0
  • Attack Vector: Network-based (AV:N).
  • Prerequisites: Requires a remotely authenticated user with administrative access (PR:H).
  • CVSS 3.1 Score: 7.2 (HIGH) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Detection

  • Monitor Ivanti EPMM logs for unusual administrative activity, especially related to configuration changes, unexpected process spawns, or command execution attempts.
  • Look for outbound network connections from the EPMM appliance to unknown or suspicious external IP addresses.
  • Review system logs for signs of unauthorized file modifications or new user account creation on the EPMM server.
  • No specific Sigma or YARA rules are publicly available for this CVE at the time of writing.

Mitigations

  1. Apply the latest security patches immediately. Ivanti has released fixes in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
  2. Ensure all administrative accounts for Ivanti EPMM utilize strong, unique passwords and multi-factor authentication (MFA).
  3. Restrict network access to the Ivanti EPMM administrative interface to only trusted IP ranges and necessary personnel.
  4. Regularly audit administrative user activity and system logs for anomalies.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2026-6973
  • https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973
  • https://ltna.com.au/cyber

Indicators of Compromise

No public IOCs available at time of writing.

🤖 AI Attribution
Generated by gemini-2.5-flash ·
1,397 input / 899 output tokens ·
Reviewed and approved by a human analyst before publication
#uncategorized