Full Report
CISA has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. [...]
Analysis Summary
# Vulnerability: Ivanti EPMM Remote Code Execution (RCE)
## CVE Details
- **CVE ID:** CVE-2026-6973
- **CVSS Score:** High Severity (Specific numerical score not provided in text, but categorized as high-severity)
- **CWE:** Not specified (Technically involves an authenticated Remote Code Execution flaw)
## Affected Systems
- **Products:** Ivanti Endpoint Manager Mobile (EPMM) - formerly MobileIron Core.
- **Versions:** 12.8.0.0 and earlier.
- **Configurations:** On-premises installations only. Cloud-based solutions (Ivanti Neurons for MDM), Ivanti EPM (Endpoint Manager), Ivanti Sentry, and other Ivanti products are **not** affected.
## Vulnerability Description
CVE-2026-6973 is a high-severity security flaw that allows an attacker with administrative privileges to execute arbitrary code remotely on the affected EPMM appliance. While the vulnerability requires authentication, the ability to achieve full system compromise through RCE makes it a critical priority for administrators.
## Exploitation
- **Status:** Exploited in the wild (Limited zero-day attacks reported).
- **Complexity:** Medium (Requires valid administrative credentials).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Full access to system data).
- **Integrity:** High (Ability to execute arbitrary code and modify system configurations).
- **Availability:** High (Potential for complete system takeover or disruption).
## Remediation
### Patches
Ivanti has released security updates to address this flaw. Administrators should upgrade to the following versions:
- **Ivanti EPMM 12.6.1.1**
- **Ivanti EPMM 12.7.0.1**
- **Ivanti EPMM 12.8.0.1**
### Workarounds
- **Credential Management:** Review all accounts with Administrative rights.
- **Credential Rotation:** Rotate credentials for all administrative accounts, especially if the organization was previously impacted by CVE-2026-1281 or CVE-2026-1340.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized administrative logins or unusual remote code execution patterns originating from the EPMM appliance.
- **Detection methods and tools:**
- Check Shadowserver statistics to see if your appliance is publicly exposed.
- Audit administrative login logs for any recognized credentials being used from unexpected IP addresses.
- CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog for tracking.
## References
- **Ivanti Security Advisory:** hxxps[://]hub[.]ivanti[.]com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US
- **Ivanti Blog Post:** hxxps[://]www[.]ivanti[.]com/blog/may-2026-epmm-security-update
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Shadowserver Statistics:** hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?date_range=7&vendor=ivanti&model=epmm&dataset=count&limit=100&group_by=geo&stacking=stacked