Ivanti EPMM Vulnerability Enables Remote Code Execution on Mobile Management Servers
6 min. read 
Published on
Ivanti has warned customers about a high-severity vulnerability in Ivanti Endpoint Manager Mobile that can allow remote code execution on affected on-premises EPMM appliances.
The flaw is tracked as CVE-2026-6973 and has a CVSS 3.1 score of 7.2. It requires a remotely authenticated attacker with administrative access, but successful exploitation can give that attacker code execution on the appliance.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Ivanti said in its May 2026 EPMM Security Update that it was aware of very limited exploitation of the flaw at the time of disclosure. That makes patching more urgent for organizations running on-premises EPMM.
CVE-2026-6973 Requires Admin Authentication
CVE-2026-6973 is not a no-login vulnerability. The attacker needs administrative authentication before they can exploit it, which narrows the attack path but does not remove the risk.
The NVD entry describes the issue as improper input validation in Ivanti EPMM that can allow a remotely authenticated user with administrative access to achieve remote code execution.
This matters because management platforms often sit close to sensitive device, user, and policy data. If attackers already have stolen administrator credentials, an RCE bug in the management server can help them deepen access and maintain control.
| Item | Details |
|---|---|
| CVE | CVE-2026-6973 |
| Product | Ivanti Endpoint Manager Mobile |
| Deployment type | On-premises EPMM |
| Severity | High |
| CVSS score | 7.2 |
| Attack access | Network access with admin authentication |
| User interaction | Not required |
| Impact | Remote code execution |
Ivanti Says Exploitation Has Been Limited
The vulnerability is already more than a theoretical risk. CISAโs Known Exploited Vulnerabilities catalog lists CVE-2026-6973, which means there is evidence of exploitation in the wild.
Ivanti said the exploitation it observed was very limited and required admin authentication. The company also said customers that rotated credentials after earlier January 2026 EPMM vulnerabilities reduced their risk.
That credential angle is important. Belgiumโs Centre for Cybersecurity Belgium said Ivanti had high confidence that the administrative credentials used in CVE-2026-6973 exploitation came from earlier exploitation of CVE-2026-1340.
Only On-Premises EPMM Is Affected
The issue affects Ivanti Endpoint Manager Mobile on-premises deployments. Ivanti says the flaws disclosed in the same EPMM update are not present in Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
That distinction matters because EPMM and EPM are similarly named but different products. Organizations should check the exact product and deployment model before deciding whether they are exposed.
Version details have shifted across public records as the advisory evolved. Administrators should use Ivantiโs current advisory and their installed branch to confirm whether they need 12.9.0.1, 12.8.0.3, 12.7.0.2, or another supported fixed build.
Why EPMM RCE Is a High-Value Target
Endpoint Manager Mobile helps organizations manage mobile devices, applications, certificates, and security policy. That makes it attractive to attackers because compromise can affect more than one user or device.
An attacker who can execute code on an EPMM appliance may be able to alter configuration, access sensitive management data, interfere with enrolled devices, or use the server as a foothold inside the network.
The risk increases when EPMM is exposed to the internet or when administrator accounts use weak, reused, or previously compromised credentials.
Other EPMM Flaws Were Patched in the Same Update
CVE-2026-6973 was not the only issue patched in the EPMM update. Ivanti also addressed several other vulnerabilities affecting the same platform.
Those issues include improper access control and improper certificate validation bugs. Some can allow privilege escalation, unauthorized method invocation, certificate-related abuse, or information disclosure.
The CCB advisory recommends installing updates for vulnerable devices with the highest priority after appropriate testing, and it also recommends reviewing admin accounts and rotating credentials where needed.
| CVE | CVSS | Issue type | Potential impact |
|---|---|---|---|
| CVE-2026-6973 | 7.2 | Improper input validation | Authenticated admin remote code execution |
| CVE-2026-5786 | 8.8 | Improper access control | Authenticated attacker can gain administrative access |
| CVE-2026-5787 | 8.9 | Improper certificate validation | Unauthenticated attacker can impersonate registered Sentry hosts |
| CVE-2026-5788 | 7.0 | Improper access control | Unauthenticated attacker can invoke arbitrary methods |
| CVE-2026-7821 | 7.4 | Improper certificate validation | Information disclosure and device identity integrity impact |
What Administrators Should Do Now
Organizations should patch affected on-premises EPMM systems as soon as possible. Because CVE-2026-6973 requires admin credentials, security teams should also treat privileged account review as part of the response.
The KEV listing required U.S. federal civilian agencies to apply vendor instructions by May 10, 2026. Non-federal organizations should use the same urgency because exploitation has already been observed.
Ivanti also warned that time-to-exploit after disclosure has compressed, and it urged customers to apply patches promptly to protect on-premises EPMM deployments.
- Upgrade affected on-premises EPMM appliances to the fixed version for the installed branch.
- Review all EPMM administrator accounts and remove unnecessary privileges.
- Rotate admin credentials, especially if the environment was affected by earlier EPMM vulnerabilities.
- Check for unusual administrator logins, configuration changes, and unexpected server-side activity.
- Limit EPMM management access to trusted networks or VPN access where possible.
- Verify that Ivanti Neurons for MDM, Ivanti EPM, and Ivanti Sentry are not confused with EPMM during asset review.
Credential Hygiene Is Part of the Fix
Patching closes the vulnerability, but credential cleanup helps close the path attackers may have used to reach it. If an attacker already has EPMM admin credentials, a software update alone may not remove all risk.
Security teams should review logs around administrator activity, check for unexplained changes to mobile management policy, and investigate any new or unexpected administrative accounts.
Organizations that run EPMM as a business-critical service should also review backup and recovery plans, since exploitation could affect availability as well as confidentiality and integrity.
FAQ
CVE-2026-6973 is a high-severity vulnerability in Ivanti Endpoint Manager Mobile. It can allow a remotely authenticated attacker with administrative access to achieve remote code execution on affected on-premises EPMM appliances.
Yes. Exploitation requires remote authentication with administrative access. The flaw is still serious because stolen or previously compromised admin credentials can give attackers a path to code execution.
Yes. Ivanti said it was aware of very limited exploitation of CVE-2026-6973, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog.
The issue affects on-premises Ivanti Endpoint Manager Mobile. Ivanti says the disclosed EPMM vulnerabilities are not present in Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
Administrators should update affected EPMM appliances to the fixed version for their product branch, rotate and review administrator credentials, restrict management access, and monitor for suspicious privileged activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages