CVE-2026-6973
published 2026-05-07CVE-2026-6973: An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to…
PriorityP185high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-05-10
Exploited in the wild
EPSS
34.45%
98.2th percentile
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | < 12.6.1.1 | 12.6.1.1 |
| ivanti | endpoint_manager_mobile | — | — |
| ivanti | endpoint_manager_mobile | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability targets Ivanti EPMM versions 12.8.0.0 and earlier; monitor for exploitation attempts against on-prem EPMM appliances by authenticated admin-level users performing unexpected remote code execution activity. ↗
- →Over 800 Ivanti EPMM appliances are exposed online; prioritize detection and monitoring on internet-facing EPMM instances for anomalous admin-authenticated RCE activity. ↗
- →Exploitation requires admin authentication; monitor for credential abuse or unauthorized admin logins preceding RCE activity, especially if CVE-2026-1281 or CVE-2026-1340 were previously exploited in the environment. ↗
- →CVE-2026-6973 is confirmed exploited in the wild as a zero-day; treat any unpatched on-prem EPMM instance as actively targeted and review admin accounts for signs of compromise. ↗
- ·Vulnerability only affects on-premises EPMM; cloud-based Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products are NOT affected. ↗
- ·Exploitation requires the attacker to already hold administrative credentials; unauthenticated exploitation is not possible for this CVE. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1 input validation
vuldb·2026-05-07·CVSS 7.2
CVE-2026-6973 [HIGH] Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1 input validation
A vulnerability was found in Ivanti Endpoint Manager Mobile 12.6.1.1/12.7.0.1/12.8.0.1. It has been declared as critical. This vulnerability affects unknown code. Such manipulation leads to improper input validation.
This vulnerability is uniquely identified as CVE-2026-6973. The attack can be launched remotely. Moreover, an exploit is present.
It is recommended to upgrade the affected component.
GHSA
GHSA-36fg-ffjj-h5p6: An Improper Input Validation in Ivanti EPMM before versions 12
ghsa_unreviewed·2026-05-07
CVE-2026-6973 [HIGH] CWE-20 GHSA-36fg-ffjj-h5p6: An Improper Input Validation in Ivanti EPMM before versions 12
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
VulnCheck
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
vulncheck·2026·CVSS 7.2
CVE-2026-6973 [HIGH] CWE-20 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.ivanti.com/blog/may-2026-epmm-security-update
Remediation Du
CISA
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
cisa·2026-05-07·CVSS 7.2
CVE-2026-6973 [HIGH] CWE-20 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Affected: Ivanti Endpoint Manager Mobile (EPMM)
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-6973
Remediation Due Date: 2026-05-10
Ivanti
Ivanti Security Advisory: CVE-2026-6973
vendor_ivanti·2026-05-07·CVSS 7.2
CVE-2026-6973 [HIGH] CWE-20 Ivanti Security Advisory: CVE-2026-6973
Ivanti Security Advisory: CVE-2026-6973
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
CVE IDs: CVE-2026-6973
CVSS Base Score: 7.2
Severity: HIGH
CWEs: CWE-20
No detection rules found.
No public exploits indexed.
Checkpoint
11th May – Threat Intelligence Report
blogs_checkpoint·2026-05-11
CVE-2026-4670 11th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Instructure, the US education technology company behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records and private messages, while ShinyHunters escalated the attack by defacing hundreds of school login portals with r
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Bleepingcomputer
CISA gives feds four days to patch Ivanti flaw exploited as zero-day
blogs_bleepingcomputer·2026-05-08·CVSS 9.8
CVE-2026-6973 [CRITICAL] CISA gives feds four days to patch Ivanti flaw exploited as zero-day
## CISA gives feds four days to patch Ivanti flaw exploited as zero-day
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in zero-day attacks.
Tracked as CVE-2026-6973, this security flaw allows attackers with administrative privileges to execute arbitrary code remotely on systems running EPMM 12.8.0.0 and earlier.
In a Thursday security advisory , Ivanti told customers they can secure their appliances by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advised them to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure,
Bleepingcomputer
Ivanti warns of new EPMM flaw exploited in zero-day attacks
blogs_bleepingcomputer·2026-05-07·CVSS 8.8
CVE-2026-6973 [HIGH] Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Ivanti warns of new EPMM flaw exploited in zero-day attacks
## Sergiu Gatlan
Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin au
Hackernews
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
blogs_hackernews·2026-05-07·CVSS 9.8
CVE-2026-6973 [CRITICAL] Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.
The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
"We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful explo
2026-05-07
Published
2026-05-07
Added to CISA KEV
Exploited in the wild