Ivanti EPMM CVE-2026-6973 admin RCE exploited

What Happened

Ivanti warned customers on April 10, 2026, that a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973 (CVSS 7.2), is under active exploitation in zero-day attacks. The flaw allows unauthenticated attackers to achieve admin-level access on vulnerable appliances, bypassing standard authentication controls. Ivanti confirmed limited in-the-wild exploitation and urged immediate patching for all supported versions.

Why It Matters

Ivanti EPMM is a widely deployed mobile device management (MDM) platform used by enterprises, government agencies, and critical infrastructure organizations to manage thousands of mobile endpoints. Admin-level access granted via this RCE provides attackers with full control over device policies, data wiping capabilities, configuration changes, and potential lateral movement into internal networks. The zero-day nature of the exploitation means no patch was available when attacks began, leaving a window for intrusions. Organizations using Ivanti EPMM should treat this as a critical operational priority, especially given Ivanti’s history of high-profile zero-day incidents.

Technical Details

CVE-2026-6973 is an unauthenticated remote code execution flaw in the EPMM administrative interface. An attacker can send specially crafted HTTP requests to trigger the vulnerability, which executes arbitrary code with the privileges of the EPMM application service - typically a high-integrity account. No authentication or user interaction is required. The attack vector is network-based over HTTP/HTTPS, making it exploitable from an external-facing management interface. Successful exploitation grants admin-level access to the EPMM console, allowing manipulation of device policies, retrieval of device credentials, and potential pivot to backend directory services. Indicators of compromise include unexpected administrative session creation, anomalous HTTP POST requests to specific EPMM admin endpoints, and unusual device policy changes.

Immediate Risk

The risk is critical. Any Ivanti EPMM instance exposed to the internet with an unpatched administrative interface is at direct risk of compromise. Organizations should assume that if their appliance is internet-reachable, it may already be under attack. The vendor has released patches; immediate deployment is required. For environments where patching is delayed, temporarily restricting network access to the EPMM admin interface to trusted IP ranges or disabling remote management is the only viable mitigation. No workarounds short of network segmentation or interface takedown are effective.

Security Insight

Ivanti’s repeated pattern of critical zero-day vulnerabilities in its mobile management and VPN products - including prior incidents in 2024 and 2025 - suggests a systemic issue in the company’s software development lifecycle. Security teams should treat Ivanti appliances as high-risk assets and implement mandatory isolation: place EPMM consoles in dedicated management VLANs with minimal egress, enforce strict network access controls, and maintain offline backup configurations independent of the appliance. For future procurement, consider MDM platforms with hardened administrative interfaces and a demonstrated record of reducing external attack surface. Do not rely on vendor patch timelines alone - assume a breach and verify system integrity post-patch.

Further Reading

• Ivanti EPMM admin RCE exploited (CVE-2026-6973)
• Latest Security News
• CVE Advisories
• Data Breach Reports