CVE-2026-6973: Authenticated Admin RCE In Ivanti EPMM Added to CISA KEV

Ivanti has patched CVE-2026-6973, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments. The vulnerability has been exploited in the wild – CISA has also added it to the Known Exploited Vulnerabilities (KEV) catalog. Although exploitation requires remote authentication with administrative access, defenders should still prioritize the fix because it provides direct code execution on a security-sensitive management platform. This post breaks down what’s affected, what exploitation looks like at a high level, and what to do next.

What Is CVE-2026-6973?

CVE-2026-6973 (CVSS 7.2) is an improper input validation vulnerability that can lead to remote code execution in Ivanti Endpoint Manager Mobile (EPMM) for an attacker who is remotely authenticated with administrative privileges.

Details of CVE-2026-6973 (SOCRadar Vulnerability Intelligence)

Ivanti EPMM often sits in a privileged position because it manages mobile devices, policies, and enrollment workflows. Even when a flaw is only reachable by an authenticated admin, RCE on the EPMM appliance is high impact. It can give an attacker a foothold in a system where sensitive configuration and identity integrations often live.

Which Ivanti Products and Deployments Are Affected?

The scope called out in public advisories and reporting is specific:

Affected: Ivanti Endpoint Manager Mobile (EPMM) on-prem
Not affected (per Ivanti statements in public reporting): Ivanti Neurons for MDM (cloud), Ivanti EPM (a different product line), Ivanti Sentry, and other Ivanti products referenced as out of scope for this advisory set

That distinction matters for triage. If you only operate the cloud MDM service, this CVE is not expected to apply. If you run on-prem EPMM, assume you are in scope until you confirm your exact version.

Which Versions Are Vulnerable?

EPMM versions prior to the following fixed releases are affected:

12.6.1.1
12.7.0.1
12.8.0.1

If you are on 12.6.x, 12.7.x, or 12.8.0.0 and have not moved to the corresponding fixed build, treat this as vulnerable until validated otherwise.

How Does Exploitation Work In Practice?

Publicly available details are limited. The vulnerability is described as improper input validation that results in RCE, but accessible sources do not provide a deeper technical breakdown such as the exact endpoint, component, or a patch diff.

What is clear is the exploitation precondition:

The attacker must be remotely authenticated
The attacker must have administrative access

That shifts the likely real-world paths to exploitation away from broad internet scanning and toward credential abuse or privilege gain inside an environment. In the same patch cycle, Ivanti also addressed other EPMM issues (including access control and certificate validation problems), but CVE-2026-6973 itself is framed as an authenticated admin-to-RCE condition.

Is CVE-2026-6973 Being Exploited In The Wild?

Yes. Ivanti’s official advisory indicates that CVE-2026-6973 has been exploited while exploitation affects a very limited number of customers.

Government and prioritization signals also point to urgency. CISA has added CVE-2026-6973 to the KEV catalog, urging federal agencies to patch it by May 10, 2026.

Internet-exposed Ivanti EPMM instances by region, as tracked by Shadowserver

The potential scope is significant: as of May 7, 2026, Shadowserver tracks over 800 internet-exposed Ivanti EPMM instances online, with the majority concentrated in Europe and North America.

How SOCRadar Helps Security Teams Respond

When vulnerabilities reach the KEV catalog or show signs of active exploitation, security teams often need to quickly determine which systems are exposed and how urgently remediation should be prioritized. SOCRadar’s Cyber Threat Intelligence helps organizations monitor CVE developments, exploit activity, attacker discussions, related IOCs, and real-world exploitation signals tied to critical vulnerabilities.

At the same time, the Attack Surface Management (ASM) module helps identify exposed assets, internet-facing systems, and risky configurations that may increase the likelihood or impact of exploitation. Together, these capabilities support faster prioritization and more informed remediation decisions.

SOCRadar’s Vulnerability Intelligence

Is There A Public PoC or Any Known IOCs?

No confirmed public Proof-of-Concept (PoC) exploit was identified so far, and accessible sources do not include concrete IOCs such as IP addresses, file hashes, webshell names, or specific request paths.

This increases the importance of basic operational controls (patching, credential review, and audit logging) because defenders cannot rely on a short list of indicators to catch activity.

What Should Defenders Do Now?

Patch EPMM On-Prem to A Fixed Release

Prioritize upgrades to one of the following versions based on your train:

12.6.1.1
12.7.0.1
12.8.0.1

Given the KEV signal and confirmed exploitation, treat patching as time-sensitive, even though the vulnerability requires admin authentication.

Audit Administrative Access and Rotate Credentials

Because exploitation requires an authenticated admin, reducing the chance that an attacker can obtain or reuse admin access is a direct mitigation lever:

Review EPMM administrator accounts for unexpected additions or privilege changes
Rotate EPMM admin credentials and any related privileged credentials used for management or integrations
Where feasible, invalidate active sessions and review authentication logs for unusual admin login patterns

Public reporting also suggests Ivanti guidance indicated that customers who rotated credentials after earlier EPMM incidents reduce risk here. That does not confirm a specific exploitation chain, but it supports a practical point: credential hygiene is central to reducing exposure for this CVE.