Ivanti EPMM admin RCE exploited (CVE-2026-6973)
CVE-2026-6973
CVE-2026-6973: Ivanti EPMM remote code execution via input validation for authenticated admins (CVSS 7.2). Actively exploited. Update to 12.6.1.1, 12.7.0.1, or 12.8.0.1.
Actively exploited in the wild - CVE-2026-6973 is a high-severity remote code execution in Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 that lets a remotely authenticated user with administrative access execute arbitrary commands on the server. Patched in the versions listed above; apply immediately.
Overview
CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM). An attacker who already holds administrative credentials for the EPMM console can send specially crafted input to the vulnerable component, bypassing input validation checks. This allows the attacker to inject and execute arbitrary system commands on the underlying server, effectively taking full control of the EPMM instance.
The vulnerability carries a CVSS score of 7.2 (HIGH), with a network attack vector and low attack complexity. No user interaction is required beyond the initial administrator login, making exploitation straightforward once valid admin credentials are obtained.
Impact
Successful exploitation of CVE-2026-6973 gives an attacker remote code execution as the EPMM service user. This can lead to complete compromise of the mobile device management infrastructure, including access to device enrollment data, management profiles, and the ability to push malicious configurations to managed endpoints. The attacker could also pivot from the EPMM server to other systems in the enterprise network.
Given that CISA has confirmed active exploitation, there is no grace period. Attackers are already targeting Ivanti EPMM deployments that remain on vulnerable versions.
Remediation
Ivanti has released fixed versions: upgrade to EPMM 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately.
If immediate patching is not possible, restrict administrative access to the EPMM console to trusted IP addresses and enforce multi-factor authentication for all admin accounts. Audit existing admin accounts for unauthorized access or changes.
For ongoing threat intelligence, review reported data breaches at breach reports and stay updated via security news.
Security Insight
CVE-2026-6973 follows a pattern of post-authentication vulnerabilities in enterprise management platforms that assume administrators are trusted. Ivanti has had multiple critical vulnerabilities exploited in the wild in recent years, highlighting a systematic weakness in input validation across their product line. Organizations should treat any administrative interface as a potential attack surface and apply defense-in-depth even for authenticated users. The active exploitation of this CVE suggests that compromise chains may start by first obtaining admin credentials through separate phishing or credential stuffing attacks before leveraging this RCE to deepen access.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may byp...
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use t...
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bri...
Apache Polaris accepts literal `*` characters in namespace and table names. When it later builds temporary S3 access policies for delegated table access, those same characters appear to be reused unes...