Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access

Ivanti disclosed active exploitation of CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM) affecting versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The flaw stems from improper input validation and carries a CVSS score of 7.2, classifying it as high-severity.

Attackers exploit this vulnerability to gain remote code execution with admin-level privileges. The threat requires an authenticated user with existing administrative credentials, which narrows the immediate attack surface but remains serious for organizations where internal credentials face compromise or where administrators use weak passwords.

Ivanti reports limited in-the-wild exploitation activity, but the presence of active attacks signals that threat actors have weaponized this flaw. Organizations running vulnerable EPMM deployments face direct risk of system takeover. Compromised EPMM instances can serve as pivot points to attack connected mobile devices and enterprise infrastructure.

The company has released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Organizations should apply these updates immediately, prioritizing EPMM instances exposed to untrusted networks or accessed by high-risk user groups. For patching delays, restrict administrative account usage and monitor for suspicious authentication patterns and code execution attempts.

EPMM manages enterprise mobile device deployments across iOS, Android, and Windows platforms. Compromise at this layer grants attackers visibility and control over thousands of corporate mobile devices, creating widespread lateral movement opportunities and data exfiltration risks.

Organizations should audit EPMM administrative account activity for the past 30 days to detect potential unauthorized access. Review system logs for unexpected remote code execution events and check mobile device enrollment records for anomalies.

KEY