Ivanti Discloses Third Actively Exploited EPMM Zero-Day of 2026 (CVE-2026-6973)

Executive Summary

Ivanti has once again been forced to disclose an actively exploited zero-day vulnerability in its product line, this time affecting its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The new flaw, tracked as CVE-2026-6973, is a high-severity remote code execution (RCE) vulnerability that is being exploited in a limited number of targeted attacks. This marks the third EPMM zero-day this year and the 34th Ivanti vulnerability added to the CISA Known Exploited Vulnerabilities (KEV) catalog since 2021, underscoring the persistent targeting of Ivanti products by sophisticated threat actors. CISA has mandated that federal agencies apply patches by May 10, 2026, highlighting the urgency of the threat.

Vulnerability Details

CVE-2026-6973 is an improper input validation vulnerability in Ivanti EPMM. It allows a remote attacker who has already obtained administrative privileges to execute arbitrary code on the affected server. The vulnerability has a CVSS score of 7.2.

While the vulnerability requires the attacker to be authenticated as an administrator, there is significant concern about attack chaining. Security researchers assess that threat actors could combine this new flaw with previously disclosed unauthenticated vulnerabilities from January 2026 (CVE-2026-1281 and CVE-2026-1340). The attack chain would be:

Gain initial unauthenticated access using the older zero-days.
Steal administrative credentials.
Use the stolen credentials to exploit CVE-2026-6973 and achieve full remote code execution.

Affected Systems

Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier are affected.
Patches are available in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.

Exploitation Status

Ivanti has confirmed that CVE-2026-6973 is being actively exploited as a zero-day in a "very limited" number of targeted attacks. Due to this active exploitation, CISA has added it to the KEV catalog, a clear signal that the threat is credible and requires immediate action. While attribution is not confirmed, previous exploits against Ivanti EPMM have been linked to threat actors sponsored by China and Iran.

Impact Assessment

A successful exploit of this vulnerability, especially when chained with others, results in a full compromise of the EPMM server.

Complete System Takeover: RCE as an administrator allows the attacker to take full control of the mobile device management server.
Mobile Fleet Compromise: From the compromised EPMM server, an attacker could potentially push malicious policies or applications to the entire fleet of managed mobile devices, leading to a widespread corporate data breach.
Data Theft: The EPMM server itself contains sensitive information about the organization's mobile devices, users, and security policies, which would be exposed to the attacker.

Cyber Observables — Hunting Hints

Log Analysis: Review EPMM server logs for any anomalous administrative activity, especially from unfamiliar IP addresses or at unusual times.
Suspicious Processes: Monitor the EPMM server for any unexpected child processes being spawned by the main application service. This could indicate code execution.
Network Traffic: Look for any new, unexpected outbound connections from the EPMM server to external IP addresses, which could be a C2 channel.
Authentication Logs: Scrutinize authentication logs for signs of the initial access vector, such as exploitation attempts against the older CVEs (CVE-2026-1281, CVE-2026-1340).

Detection Methods

Vulnerability Scanning: Use vulnerability scanners with updated plugins to identify unpatched Ivanti EPMM instances.
Log Correlation (D3FEND: D3-PA - Process Analysis): In a SIEM, correlate authentication logs with process execution logs. An alert should be triggered if a login using a newly created or suspicious admin account is immediately followed by the execution of shell commands or suspicious binaries (e.g., powershell.exe, cmd.exe).
Integrity Monitoring: Use file integrity monitoring to detect any unauthorized changes to critical system files or application binaries on the EPMM server.

Remediation Steps

Patch Immediately (D3FEND: D3-SU - Software Update): The highest priority is to update all vulnerable Ivanti EPMM instances to a patched version (12.6.1.1, 12.7.0.1, or 12.8.0.1).
Rotate Credentials: As recommended by Ivanti, review all accounts with administrative rights and rotate their credentials. This is crucial to invalidate any credentials that may have been stolen in the initial phase of an attack chain.
Restrict Access: Ensure that the EPMM management interface is not exposed to the public internet. Access should be restricted to a limited set of trusted IP addresses via a firewall or VPN.

To detect potential exploitation of CVE-2026-6973, security teams should implement robust Process Analysis on their Ivanti EPMM servers. This involves using an EDR or host-based monitoring tool (like Sysmon) to watch for anomalous process creation events. Specifically, the core EPMM application process should never spawn interactive shells like cmd.exe or powershell.exe. A detection rule should be created to trigger a high-severity alert if this behavior is observed. This provides a strong signal of successful remote code execution. Correlating this process event with a preceding administrative login from an unusual IP address would further increase the confidence of the alert, indicating a full attack chain from initial access to RCE.

Ivanti Warns of New EPMM Zero-Day (CVE-2026-6973) Under Active Exploitation