cbcvebase.
CVE-2026-6973
published 2026-05-07

CVE-2026-6973: An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to…

PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-10
Exploited in the wild
EPSS
34.45%
98.2th percentile
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile< 12.6.1.112.6.1.1
ivantiendpoint_manager_mobile
ivantiendpoint_manager_mobile

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability targets Ivanti EPMM versions 12.8.0.0 and earlier; monitor for exploitation attempts against on-prem EPMM appliances by authenticated admin-level users performing unexpected remote code execution activity.
  • Over 800 Ivanti EPMM appliances are exposed online; prioritize detection and monitoring on internet-facing EPMM instances for anomalous admin-authenticated RCE activity.
  • Exploitation requires admin authentication; monitor for credential abuse or unauthorized admin logins preceding RCE activity, especially if CVE-2026-1281 or CVE-2026-1340 were previously exploited in the environment.
  • CVE-2026-6973 is confirmed exploited in the wild as a zero-day; treat any unpatched on-prem EPMM instance as actively targeted and review admin accounts for signs of compromise.
  • ·Vulnerability only affects on-premises EPMM; cloud-based Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products are NOT affected.
  • ·Exploitation requires the attacker to already hold administrative credentials; unauthenticated exploitation is not possible for this CVE.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.