ThreatLevelBeta
Planned Fix

CVE-2026-6973

Remote Code Execution in Ivanti Endpoint Manager Mobile
Loading...

Summary

Ivanti Endpoint Manager Mobile (EPMM) on-premises versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 contain improper input validation in an administrative management path. An attacker who already has an EPMM administrator account can submit crafted input that reaches vulnerable server-side processing and triggers remote code execution on the appliance. Ivanti says exploitation has been very limited and CISA has listed the CVE in KEV.

Why Planned Fix?

5/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
RCE (Remote Code Execution)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
No
Impact

Execute arbitrary code on the EPMM appliance with admin privileges.

RCE (Remote Code Execution)
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker first authenticates to the EPMM administrative interface using valid admin credentials. They then send crafted input to the affected management function so the server-side validation fails and the payload reaches code-executing processing on the appliance. Successful exploitation results in arbitrary code execution on the EPMM host.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Ivanti
ProductAffected Versions
Ivanti Endpoint Manager Mobile (EPMM)before 12.6.1.1, 12.7.0.1, and 12.8.0.1
Description

On-premises unified endpoint management platform for managing mobile devices, applications, and content across an enterprise.

Deployment:Mixed (internet/internal)
|
Protocol:HTTPS
|
Ports:443, 8443
Affected ComponentAdministrative web management interface and server-side input validation in the EPMM admin path.

Administrative web management interface and server-side input validation in the EPMM admin path.

Affected Endpoints(1)/mics
1./mics
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Remediation
Workaround

Not available

Patch

Not available

Update
Upgrade on-premises Ivanti Endpoint Manager Mobile to 12.6.1.1, 12.7.0.1, or 12.8.0.1 to fix CVE-2026-6973.

Upgrade on-premises Ivanti Endpoint Manager Mobile to 12.6.1.1, 12.7.0.1, or 12.8.0.1 to fix CVE-2026-6973.

forums.ivanti.com
Threat Intelligence
EPSS Score5.0%

Probability of exploitation in the next 30 days

EPSS Percentile90%

Worse than 90% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
cyber.gc.ca
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

CVSS Base Score

7.2
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-20 Improper Input Validation
|
NVD:CVE-2026-6973
|
Version From:
|
Version Upto:12.6.1.1

Affected Software (CPE) (3)

  • cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
  • cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:ivanti:endpoint_manager_mobile:12.8.0.0:*:*:*:*:*:*:*

Sources

7
SourceArticle
forums.ivanti.comMay 2026 Security Advisory: Ivanti Endpoint Manager Mobile (EPMM) (Multiple CVEs)
www.ivanti.comJanuary 2026 EPMM Security Update
help.ivanti.comSigning in to the Ivanti EPMM System Manager
help.ivanti.comPort Settings
www.cyber.gc.caIvanti security advisory AV26-435
thehackernews.comIvanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
cyberscoop.comIvanti customers confront yet another actively exploited zero-day

Priority History

Planned FixLoading...

Initial analysis