Ivanti disclosed a high-severity remote code execution vulnerability in its on-premises Endpoint Manager Mobile (EPMM) product on May 7, with active exploitation already confirmed in the wild. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day and set an unusually tight three-day patch deadline of May 10 for Federal Civilian Executive Branch agencies, per The Hacker News.
What is broken
CVE-2026-6973 is an improper input validation bug that lets an authenticated attacker with admin access execute arbitrary code on the EPMM server. The CVSS score sits at 7.2 — not the highest number in this patch cycle, but the exploitation context matters more than the score. EPMM administers mobile device fleets across enterprises, which makes a successful admin-level RCE a direct path to push malicious configuration profiles, certificates, or VPN definitions to every managed phone or tablet under that tenant.
The vulnerability affects EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti’s hosted cloud product, Neurons for MDM, is not affected. The fix lives in those three point releases.
Ivanti shipped four other patches in the same advisory: CVE-2026-5786 (CVSS 8.8), CVE-2026-5787 (CVSS 8.9), CVE-2026-5788 (CVSS 7.0), and CVE-2026-7821 (CVSS 7.4). None of those four are listed on KEV yet, but a hardened EPMM means closing the full advisory, not just the headline CVE.
Why the admin-auth requirement isn’t a comfort
It is tempting to read “requires admin authentication” as a mitigation. It isn’t. EPMM has been on KEV before — earlier 2026 advisories drove credential-rotation guidance that many organizations partially completed and then quietly moved past. Ivanti’s own communication on this round explicitly notes that customers who fully rotated EPMM admin credentials after those earlier incidents have materially reduced their exposure, per The Hacker News.
The implication: the active exploitation thread is being seeded with credentials harvested from prior compromises. Threat actors who collected EPMM admin tokens months ago are now monetizing them against the newly-disclosed RCE path. That is a different defensive posture than patching alone — admins should treat any unrotated EPMM admin credential from the 2025-2026 window as suspect and force a rotation as part of this fix.
What this means
For practitioners, this is a two-track response. Track one is mechanical: roll EPMM to 12.6.1.1, 12.7.0.1, or 12.8.0.1, apply the rest of the advisory, and verify federal-aligned agencies finished the work inside CISA’s May 10 deadline. Track two is harder: audit the admin-credential history of every EPMM tenant going back to the prior 2026 advisories, rotate anything that hasn’t been refreshed, and review EPMM audit logs for unexpected admin sessions or configuration-push activity in the weeks leading up to public disclosure. The vulnerability itself is patched in an afternoon. The credential-hygiene problem it exposed is a longer conversation.
