Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Remote Code Execution (CVE-2026-6973)

CVE-2026-6973 is an improper input validation vulnerability (CWE-20) in Ivanti Endpoint Manager Mobile (EPMM) that allows a remotely authenticated user with administrative access to achieve remote code execution on the EPMM server. CISA added this to the Known Exploited Vulnerabilities catalog on May 7, 2026 with a mandatory remediation deadline of May 10, 2026. Ivanti released patched versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 concurrently with the advisory.

Severity Assessment

• Exploitability: 6/10
• Impact: 9/10
• Weaponization Risk: 7/10
• Patch Urgency: 9/10
• Detection Coverage: 5/10

Exploitability (6/10): Exploitation requires a remotely authenticated user with administrative-level access (CVSS PR:H). While network-accessible (AV:N) and low complexity (AC:L), the administrative credential prerequisite creates a barrier compared to pre-authentication vulnerabilities. Adversaries must first acquire or compromise valid admin credentials before triggering the flaw.

Impact (9/10): Successful exploitation yields remote code execution directly on the EPMM server with confidentiality, integrity, and availability impact (C:H/I:H/A:H). An EPMM server is MDM infrastructure that manages enrolled mobile devices fleet-wide. Compromise enables adversaries to exfiltrate device inventories, certificates, and user credentials; push malicious policies or configurations to managed devices; and pivot into any network segment accessible to managed endpoints.

Weaponization Risk (7/10): The administrative credential prerequisite slows exploitation but does not deter nation-state or advanced threat actors. Ivanti MDM products have been targeted by advanced threat actors in prior vulnerability campaigns. Once admin credentials are available, triggering the improper input validation condition is a low-complexity network operation requiring no user interaction.

Patch Urgency (9/10): CISA KEV mandatory remediation deadline for federal agencies is May 10, 2026, three days from disclosure. Ivanti EPMM manages enterprise mobile device fleets; a compromised MDM server provides adversaries with persistent reach across all enrolled endpoints. Patches are available and should be applied immediately.

Detection Coverage (5/10): Admin-initiated EPMM operations are expected behavior, making malicious input delivery indistinguishable from legitimate administrative activity without application-layer inspection. Post-exploitation artifacts on the EPMM server may be detectable through endpoint telemetry and unexpected outbound connections, but there are no publicly documented signatures or behavioral detections specific to CVE-2026-6973 exploitation at time of publication.

Summary

CVE-2026-6973 affects Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. EPMM is an enterprise Mobile Device Management platform that handles device enrollment, policy enforcement, application distribution, and certificate management for mobile device fleets across organizations.

The vulnerability is an improper input validation flaw (CWE-20) in the EPMM management interface. When a remotely authenticated user with administrative access submits specially crafted input, the application fails to properly validate or sanitize it, resulting in remote code execution in the context of the EPMM server process. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H reflects network-accessible exploitation with no user interaction required once admin credentials are available.

Affected versions:

• Ivanti EPMM: all versions before 12.6.1.1
• Ivanti EPMM: all versions before 12.7.0.1
• Ivanti EPMM: all versions before 12.8.0.1

Fixed versions:

• 12.6.1.1
• 12.7.0.1
• 12.8.0.1

Exploitation context: Active exploitation has been confirmed by CISA. Ivanti EPMM has been targeted by advanced persistent threat actors in prior vulnerability campaigns, including CVE-2023-35078 and CVE-2023-35081, which were exploited before patches were available. Threat actors targeting MDM infrastructure can use server-level access to pivot through enrolled device fleets or extract certificates and credentials used across enterprise environments.

Exploit Chain

Stage 1: Reconnaissance — EPMM Server Identification

An adversary identifies internet-accessible Ivanti EPMM management portals through passive reconnaissance (certificate transparency, passive DNS) or active scanning. EPMM management interfaces typically expose identifiable HTTP responses and login forms. Adversaries with prior knowledge of the target environment, or those who have already established access to internal network segments, may identify EPMM servers through internal discovery.

Stage 2: Credential Access — Admin Account Compromise

Exploitation requires administrative credentials. The adversary obtains these through prior techniques such as phishing, credential stuffing against the EPMM management portal, reuse of credentials captured from other compromised systems, or through a separate authentication bypass or privilege escalation on the EPMM server. Nation-state actors with persistent access to the target environment may already possess valid admin credentials from prior intrusion activity.

Stage 3: Authentication — Administrative Session Establishment

The adversary authenticates to the EPMM management interface using obtained admin credentials, establishing a legitimate administrative session. This session provides the access level required to reach the vulnerable code path.

Stage 4: Exploitation — Improper Input Validation Trigger

Within the authenticated administrative session, the adversary sends specially crafted input to the vulnerable EPMM component. The EPMM server fails to properly validate or sanitize the input (CWE-20), allowing the adversary to influence server-side processing in ways that are outside the intended application behavior.

[Adversary] -> crafted admin input -> [EPMM management interface]
                                             |
                                   Input validation bypassed
                                       (CWE-20: Improper Input
                                        Validation)
                                             |
                                   Server-side code execution
                                   in EPMM process context

Stage 5: Post-Exploitation — MDM Infrastructure Abuse

With remote code execution on the EPMM server, the adversary can: extract device enrollment records, certificates, and user credentials stored by EPMM; modify device management policies to push malicious configurations or applications to enrolled devices; revoke or replace certificates across the managed fleet; establish persistence on the EPMM server for ongoing access; and pivot laterally to any network segment accessible from the server or reachable through managed devices.

Detection Guidance

Signal	Indicator	Confidence
Unexpected EPMM process spawning child processes	System-level child process creation (shells, interpreters) from the EPMM server process without administrative console activity	HIGH
Anomalous outbound connections from EPMM server	Novel outbound network sessions from the EPMM host to external or unexpected internal IP addresses	HIGH
EPMM configuration or policy changes without admin console activity	Device policy modifications, certificate changes, or application pushes not traceable to legitimate admin sessions in audit logs	HIGH
Admin-session input anomalies	Unusually large, malformed, or structurally anomalous input payloads within authenticated admin sessions	MEDIUM
New administrative accounts or credential changes	Creation of new EPMM admin accounts or credential resets outside of normal change management windows	MEDIUM
Mass push operations to enrolled devices	Unexpected bulk configuration or application deployments to managed device fleet following anomalous server activity	MEDIUM
EPMM service crashes or restarts	Unexpected application errors, service restarts, or core dumps without an identifiable administrative cause	LOW

Organizations should enable EPMM audit logging at maximum verbosity and review logs for unexpected admin activity, particularly during the period since the vulnerability was first publicly disclosed on May 7, 2026. Integration of EPMM server logs into a SIEM enables correlation of anomalous inbound admin-session activity with subsequent unusual outbound or lateral-movement indicators.

Indicators of Compromise

Ivanti has confirmed active exploitation of CVE-2026-6973 without releasing specific threat actor attribution, malware families, or infrastructure indicators at time of publication. The following behavioral indicators are consistent with exploitation or post-exploitation activity on an EPMM server:

• Unexpected child process creation on the EPMM server — process execution (particularly shells or interpreters) originating from the EPMM service process without a corresponding administrative action in audit logs.
• Novel outbound network connections from the EPMM host — connections to external IP addresses, or to internal segments not normally accessed by the EPMM server, following an authenticated admin session.
• Unauthorized device policy or certificate modifications — changes to enrolled device policies, installed certificates, or application catalogs that do not correspond to legitimate administrative activity in EPMM audit logs.
• New or modified EPMM administrator accounts — creation of new admin-level accounts, modification of existing admin credentials, or changes to role assignments without change management records.
• Anomalous bulk device enrollment or push operations — unexpected mass configuration pushes, profile installations, or application deployments to the enrolled device fleet.

Recommended Mitigations (in priority order):

1. Apply patches immediately — Upgrade to Ivanti EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 per vendor guidance. The CISA KEV federal deadline is May 10, 2026.
2. Restrict management interface access — Limit access to the EPMM administrative portal to trusted IP ranges and VPN-connected administrative workstations. Remove internet exposure of the management interface where operationally feasible.
3. Enforce multi-factor authentication on admin accounts — Require MFA for all EPMM administrative accounts to raise the barrier for credential-based exploitation prerequisites.
4. Audit current admin accounts — Review all EPMM administrator accounts for legitimacy, remove stale or unauthorized accounts, and rotate credentials for active accounts.
5. Enable and review EPMM audit logging — Ensure audit logging is enabled at maximum verbosity and review recent logs for anomalous admin-session activity, particularly around the time of disclosure.
6. Monitor EPMM server for post-exploitation indicators — Deploy host-based monitoring on the EPMM server to detect unexpected process execution, outbound connections, and file system changes.

Disclosure Timeline

• 2026-05-07 — Ivanti Public Disclosure Ivanti releases the May 2026 Security Advisory for Endpoint Manager Mobile (EPMM), disclosing CVE-2026-6973 alongside a patch. The advisory notes that exploitation has been observed in the wild and that patches in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 address the vulnerability. CVSS 3.1 score of 7.2 HIGH is assigned.

• 2026-05-07 — NVD Publication The National Vulnerability Database publishes CVE-2026-6973 with the full CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, severity HIGH (7.2), and CWE-20 classification.

• 2026-05-07 — CISA KEV Addition CISA adds CVE-2026-6973 to the Known Exploited Vulnerabilities catalog, confirming active exploitation. Federal agencies are required to remediate by May 10, 2026 under Binding Operational Directive 22-01.

Sources & References

• CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-05-07
• National Vulnerability Database: CVE-2026-6973 — National Vulnerability Database, 2026-05-07
• Ivanti Product Security: May 2026 Security Advisory — Ivanti Endpoint Manager Mobile (EPMM) — Ivanti Product Security, 2026-05-07