Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access - The Hacker News
The Hacker NewsArchived May 22, 2026✓ Full text saved
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access The Hacker News
Full text archived locally
✦ AI Summary· Claude Sonnet
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ravie LakshmananMay 07, 2026Vulnerability / Network Security
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced."
It's currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.
Also patched by Ivanti in EPMM are four other flaws -
CVE-2026-5786 (CVSS score: 8.8) - An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access.
CVE-2026-5787 (CVSS score: 8.9) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
CVE-2026-5788 (CVSS score: 7.0) - An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods.
CVE-2026-7821 (CVSS score: 7.4) - An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.
"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products," the company said.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
CISA, cybersecurity, data security, network security, remote code execution, Threat Intelligence, Vulnerability
⚡ Top Stories This Week
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages
Load More ▼
⭐ Featured Resources
[Guide] Stop Email Fraud Before It Turns Into Ransomware Damage
[Webinar] Learn How to Handle Critical SOC Alerts With AI Support
[eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk
Identify Internal Attack Surfaces More Efficiently With a Free Assessment