CVE-2026-6973

What is Ivanti EPMM?

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is an on-premises Mobile Device Management (MDM) platform used by enterprises and government agencies to enroll, configure, and monitor employees' mobile devices. It provides a central control plane for pushing policies, certificates, and applications to managed iOS, Android, and Windows devices.

Because EPMM sits at the intersection of identity, access, and every mobile endpoint in an organization, it is an exceptionally high-value target. A compromised EPMM server gives an attacker visibility into the full fleet of managed devices, the ability to push malicious profiles or wipe devices, and access to credentials and certificates stored within. This makes EPMM one of the most persistently targeted enterprise products — it has been the subject of multiple critical zero-days since 2023.

Overview

CVE-2026-6973 is an improper input validation (CWE-20) vulnerability in the EPMM administrative API. An authenticated attacker with administrative access can submit a specially crafted request that bypasses input checks, achieving remote code execution on the underlying server. The vulnerability was confirmed exploited in the wild at the time of disclosure, described by Ivanti as affecting "a limited number of customers."

The exploitation observed in the wild was not via independently compromised admin accounts — Ivanti stated with high confidence that attackers used administrative credentials harvested from prior exploitation of CVE-2026-1340, a CVSS 9.8 pre-auth RCE zero-day disclosed in January 2026. Organizations that patched EPMM after January but did not rotate all administrative credentials remained exposed.

Affected Versions

Scope: On-premises EPMM only. Ivanti Neurons for MDM (cloud-hosted), Ivanti EPM (desktop management), and Ivanti Sentry are not affected by this specific CVE.

Ivanti reports that patches apply in seconds and cause no service downtime.

May 2026 Multi-CVE Advisory

CVE-2026-6973 was disclosed as part of a six-CVE advisory covering multiple vulnerabilities in EPMM and related Ivanti products. Two are particularly relevant to the attack chain observed in the wild:

CVE-2026-5786 is especially significant: by chaining it with CVE-2026-6973, an attacker who holds any valid EPMM user credential (not just admin) could escalate to administrative access and then execute code on the server — reducing the effective privilege bar for the RCE to low.

Technical Details

Root cause: The EPMM administrative API accepts input that is not properly sanitized or constrained before being used in a privileged server-side operation. The specific endpoint and payload structure were not publicly disclosed by Ivanti at time of advisory — they intentionally withheld technical details to limit exploitation. No public proof-of-concept was available at disclosure.

CWE-20 (Improper Input Validation) covers cases where software does not validate or incorrectly validates input in a way that causes unintended behavior. In this context, the application accepts and processes attacker-controlled data in an execution context where it can be leveraged to run arbitrary OS-level commands on the EPMM host.

CVSS breakdown:

Discovery

No public researcher attribution has been identified. Ivanti's advisory does not include a credits section for CVE-2026-6973. The vulnerability appears to have been discovered through incident response activity following the limited exploitation, rather than via independent external researcher disclosure.

Exploitation Context

Observed Kill Chain

Ivanti stated with "a high degree of confidence" that the administrative credentials used to exploit CVE-2026-6973 were obtained through prior exploitation of CVE-2026-1340 — a CVSS 9.8 pre-authentication code injection zero-day disclosed in January 2026 that required no credentials whatsoever.

The inferred multi-stage attack chain:

1. January 2026 (CVE-2026-1340): Attacker exploits the pre-auth Android File Transfer URL injection zero-day to gain a foothold on EPMM servers, harvesting stored admin credentials.
2. January–May 2026: Attacker retains harvested credentials through the partial remediation wave — many organizations patched the software version but did not rotate admin passwords.
3. May 2026 (CVE-2026-6973): Attacker uses the harvested admin credentials to authenticate to the EPMM API and submit a crafted request, achieving RCE on servers that are now running patched (against CVE-2026-1340) but still credential-compromised EPMM instances.

This pattern — using access from a previous zero-day to enable a subsequent one — reflects a sophisticated, persistent threat actor maintaining long-term footholds in MDM infrastructure.

Exposure

As of May 2026, Shadowserver tracks approximately 850+ internet-exposed EPMM instances:

• Europe: ~508 instances
• North America: ~182 instances

This is a decline from a peak of approximately 1,300–1,600 exposed instances during the January 2026 exploitation wave, as some organizations removed EPMM from the public internet or decommissioned it following that incident.

Prior Exploitation History

Ivanti EPMM has a documented pattern of severe exploitation:

• 2023: CVE-2023-35078 (CVSS 10.0 pre-auth API bypass) exploited by APT groups including a Norway government breach; followed by CVE-2023-35081 (path traversal to web shell)
• January 2026: CVE-2026-1281 and CVE-2026-1340 (CVSS 9.8 pre-auth RCE); Shadowserver confirmed 86+ compromised instances, Rapid7 honeypots observed exploitation from 130+ unique IPs within 24 hours; outcomes included web shell deployment, reverse shells, cryptominer installation, and data exfiltration
• May 2026: CVE-2026-6973 (this CVE) — exploitation linked to credential theft from the January wave

Remediation

1. Patch EPMM immediately to the fixed version for your branch:

   • 12.6.x → upgrade to 12.6.1.1
   • 12.7.x → upgrade to 12.7.0.1
   • 12.8.x → upgrade to 12.8.0.1 Patches apply in seconds and cause no service downtime per Ivanti.

2. Rotate all EPMM administrative credentials — even if you patched CVE-2026-1340 in January, credentials present on the server at time of that exploitation may have been harvested. Password rotation is mandatory to break the observed kill chain.

3. Also apply patches for companion CVEs in the same advisory, particularly CVE-2026-5786 (CVSS 8.8, low-priv to admin escalation) which could reduce the effective barrier for exploiting CVE-2026-6973.

4. Remove EPMM from the public internet if possible. Place it behind a VPN or zero-trust access gateway requiring strong MFA before any administrative or API access.

5. Review Apache access logs at /var/log/httpd/https-access_log on the EPMM host for signs of unauthorized administrative API access or anomalous request patterns.

6. Check for indicators of compromise consistent with the January 2026 wave outcomes: web shells, reverse shell processes, unexpected outbound connections, cryptominer processes, or new local user accounts.

7. If compromise is suspected, treat the EPMM server as fully compromised: rotate all certificates and credentials it stores, audit managed devices for malicious profile pushes, and engage incident response before re-joining to production.