Overview
CISA has added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog, giving federal civilian agencies until May 10, 2026 to remediate the flaw. The vulnerability is an improper input validation flaw in Ivanti Endpoint Manager Mobile (EPMM) on-premises deployments that has been exploited in the wild.
Technical Details
CVE-2026-6973 carries a CVSS score of 7.2 and enables a remotely authenticated user with administrative privileges to execute arbitrary code. Affected versions include EPMM prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The issues only affect the on-premises EPMM product and are not present in Ivanti Neurons for MDM (cloud-based), Ivanti EPM, Ivanti Sentry, or any other Ivanti products.
Exploitation Status
Ivanti confirmed a “very limited number of customers” have been affected. Successful exploitation requires admin authentication. As of May 7, 2026, Shadowserver tracked over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.
Ivanti’s Advisory Note on Prior CVEs
CVE-2026-1281 and CVE-2026-1340 are two earlier critical vulnerabilities in Ivanti EPMM (both CVSS 9.8) that could enable unauthenticated RCE. CVE-2026-1281 was added to KEV on January 29, 2026, and CVE-2026-1340 on April 8. Ivanti notes that customers who rotated credentials following those exploits face significantly reduced risk from CVE-2026-6973.
Affected Versions
- Ivanti EPMM (on-prem) < 12.6.1.1
- Ivanti EPMM (on-prem) < 12.7.0.1
- Ivanti EPMM (on-prem) < 12.8.0.1
Remediation
- Upgrade to patched versions: 12.6.1.1, 12.7.0.1, or 12.8.0.1
- Run Ivanti’s Exploitation Detection RPM package to scan for known indicators
- Rotate admin credentials — especially if previously impacted by CVE-2026-1281 or CVE-2026-1340
- Restrict admin panel exposure; audit internet-facing EPMM instances immediately
FCEB Deadline: May 10, 2026 (BOD 22-01)
Very nice.