Introduction
Threat actors are chaining credential theft from a January 2026 Ivanti vulnerability with a newly disclosed input validation flaw to achieve remote code execution on Ivanti Endpoint Manager Mobile appliances. Both Ivanti and the Belgian Centre for Cyber Security confirmed on May 7, 2026 that a limited number of customers have already been compromised through this attack chain, making CVE-2026-6973 an actively exploited zero day at the time of disclosure.
Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, is an on premises mobile device management platform used by enterprises and government agencies to manage and secure mobile endpoints. Ivanti acquired MobileIron in December 2020 for approximately 872 million dollars, and EPMM remains a widely deployed MDM solution, particularly in regulated industries and federal environments. Its position as a network edge appliance that manages device enrollment and policy enforcement makes it a high value target for adversaries seeking persistent access to enterprise environments.
Technical Information
CVE-2026-6973 is rooted in an Improper Input Validation weakness (CWE-20) within the on premises Ivanti EPMM product. The vulnerability carries a CVSS score of 7.2 and allows a remotely authenticated user with administrative privileges to achieve remote code execution on the underlying EPMM appliance.
Root Cause
The flaw exists in how the EPMM appliance processes certain input from authenticated administrative sessions. Because EPMM is a closed source, appliance based product, the specific vulnerable code path has not been publicly disclosed. What we know from the advisory is that the input validation logic fails to properly sanitize or constrain input provided by an authenticated administrator, allowing that input to be interpreted in a way that results in arbitrary code execution on the host operating system.
Attack Flow
The observed exploitation of CVE-2026-6973 follows a multi stage attack chain that spans two separate vulnerabilities and potentially months of elapsed time:
-
Initial credential harvesting via CVE-2026-1340: Threat actors first exploited CVE-2026-1340, a separate vulnerability disclosed in January 2026, to obtain valid administrative credentials from target EPMM appliances. Ivanti has stated with high confidence that the credentials used in the May exploitation campaign were harvested during these earlier compromises.
-
Authentication to the EPMM administrative interface: Using the stolen administrative credentials, the attacker authenticates to the target EPMM appliance remotely. This is the prerequisite for exploiting CVE-2026-6973; without valid admin credentials, the vulnerable code path is not reachable.
-
Exploitation of the input validation flaw: Once authenticated with administrative privileges, the attacker provides crafted input that bypasses the insufficient validation logic. This input is processed in a context that allows arbitrary code execution on the underlying system.
-
Post exploitation impact: Successful exploitation grants the attacker code execution on the EPMM appliance, which could lead to data exfiltration, lateral movement, or persistent access to the managed device fleet. Given that EPMM manages mobile device enrollment and policy, compromise of the appliance has implications for the confidentiality, integrity, and availability of all managed endpoints.
The dependency on previously stolen credentials is a critical detail. Organizations that followed Ivanti's January 2026 guidance to rotate administrative credentials after the CVE-2026-1340 disclosure would have significantly reduced their exposure to this attack chain, even before the May patch was available.
Scope Limitations
The vulnerability is strictly limited to the on premises EPMM product. The following products are confirmed not affected:
- Ivanti Neurons for MDM (cloud based)
- Ivanti EPM (Endpoint Manager, a separate product)
- Ivanti Sentry
- Other Ivanti products
Patch Information
Ivanti released patched firmware on May 7, 2026 as part of a broader May 2026 Security Advisory that addressed five high severity vulnerabilities in EPMM, including CVE-2026-6973. Because EPMM is a closed source, appliance based product, the fix is delivered as a full version update rather than a source code commit or diff. There is no public code level patch to inspect.
The fix is incorporated into three new maintenance releases that map to the three supported EPMM release trains:
| Affected Versions | Fixed Version | Build |
|---|---|---|
| EPMM 12.8.0.0 and all prior releases | 12.8.0.1 | 217 |
| (same) | 12.7.0.1 | 216 |
| (same) | 12.6.1.1 | 209 |
Ivanti provides two delivery mechanisms for each fixed version (both require authenticated access to the Ivanti support portal):
- Full ISO: for deploying a brand new EPMM appliance (e.g.,
mobileiron-12.8.0.1-217.iso). - In place update package: for upgrading an existing EPMM appliance without rebuilding it.
An important nuance: these same patched versions also roll in the fixes for CVE-2026-1281 and CVE-2026-1340, which were disclosed in January 2026 and previously required a separate RPM hotfix. Organizations that apply the May update no longer need to maintain the January RPM package; the fix is cumulative. This is especially relevant because Ivanti has stated with high confidence that the admin credentials leveraged to exploit CVE-2026-6973 in the wild were originally stolen through the earlier CVE-2026-1340 exploitation. The patch therefore addresses the immediate code level input validation gap while the bundled January fixes close the credential theft vector that made exploitation practical.
The patch scope is limited to the on premises EPMM product only. Ivanti Neurons for MDM (the cloud based equivalent), Ivanti Sentry, and Ivanti EPM are not affected and do not require updates for this CVE. However, Ivanti simultaneously released new Sentry versions (10.4.2, 10.5.1, and 10.6.1); while Sentry itself is not vulnerable, customers deploying a new Sentry instance after upgrading EPMM will need to use one of these newer Sentry builds due to inter component compatibility requirements.
Beyond patching, organizations must also rotate all administrative credentials on their EPMM appliances. Given the confirmed credential reuse attack chain, patching alone is insufficient if the attacker already holds valid admin credentials.
Affected Systems and Versions
| Product | Deployment Type | Version | Status |
|---|---|---|---|
| Ivanti EPMM | On Premises | 12.8.0.0 and all earlier versions | Vulnerable |
| Ivanti EPMM | On Premises | 12.8.0.1 (Build 217) | Fixed |
| Ivanti EPMM | On Premises | 12.7.0.1 (Build 216) | Fixed |
| Ivanti EPMM | On Premises | 12.6.1.1 (Build 209) | Fixed |
| Ivanti Neurons for MDM | Cloud | All versions | Not Affected |
| Ivanti EPM | Various | All versions | Not Affected |
| Ivanti Sentry | Various | All versions | Not Affected |
The vulnerability applies to all on premises EPMM deployments running version 12.8.0.0 or earlier, regardless of configuration. Cloud customers using Ivanti Neurons for MDM require no action for this specific flaw.
Vendor Security History
Ivanti's EPMM product line has been under sustained security pressure throughout 2026. In January 2026, Ivanti disclosed CVE-2026-1281 and CVE-2026-1340, both of which were exploited as zero days and required emergency patching via an RPM hotfix. The exploitation of CVE-2026-1340 is directly linked to the current CVE-2026-6973 campaign, as stolen credentials from those January compromises are being reused to authenticate and trigger the new input validation flaw.
In April 2026, CISA ordered federal agencies to patch exploited Ivanti EPMM flaws on an accelerated timeline, underscoring the severity of the ongoing threat to government deployments.
The May 2026 advisory that includes CVE-2026-6973 also addresses four additional newly discovered vulnerabilities: CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. While only CVE-2026-6973 is confirmed exploited from this new batch, CVE-2026-7821 is notable because it does not require authentication and specifically affects customers using Apple Device Enrollment.
This pattern of recurring critical vulnerabilities in edge facing appliances, combined with confirmed in the wild exploitation, places Ivanti EPMM in a category that warrants heightened monitoring and accelerated patch cycles for any organization running the product.
References
- NVD Entry for CVE-2026-6973
- Ivanti May 2026 Security Advisory (Hub)
- Ivanti May 2026 Security Advisory (Forums)
- Ivanti Blog: May 2026 EPMM Security Update
- Belgian Centre for Cyber Security Advisory
- BleepingComputer: Ivanti warns of new EPMM flaw exploited in zero day attacks
- BleepingComputer: CISA orders feds to patch exploited Ivanti EPMM flaw
- Ivanti Wikipedia Entry
