Ivanti said a high-severity flaw in its Endpoint Manager Mobile software, tracked as CVE-2026-6973, has been used in limited attacks against on-premises systems and can let an authenticated administrator achieve remote code execution in versions before 12.6.1.1, 12.7.0.1 and 12.8.0.1.
KEY FACTS
- Vulnerability CVE-2026-6973 is an improper input validation issue with a CVSS score of 7.2.
- Access required Exploitation needs admin authentication.
- Response CISA added the flaw to its Known Exploited Vulnerabilities catalog and set a May 10, 2026 deadline for FCEB agencies.
- Other flaws Ivanti also patched four additional EPMM vulnerabilities.
In an official security advisory, the company said the issue affects EPMM before versions 12.6.1.1, 12.7.0.1 and 12.8.0.1. It also said only a very limited number of customers were affected.
The disclosure said customers who followed Ivanti’s January advice to rotate credentials after earlier EPMM flaws were exploited would face significantly reduced risk from this latest issue. The company said it does not know who is behind the attacks, whether any were successful or what the goal was.
Ivanti said the additional patched flaws include issues that could allow unauthorized administrative access, certificate impersonation, arbitrary method calls and device enrollment problems. The company said the issues affect only the on-prem EPMM product and not its cloud MDM service, Ivanti EPM, Ivanti Sentry or other products.
CISA’s Known Exploited Vulnerabilities catalog now lists the flaw because of the reported exploitation activity. That makes it a priority for federal civilian agencies and a warning sign for other organizations running the affected on-premises software.
WHY IT MATTERS
The case adds another publicly reported Ivanti EPMM flaw to a growing list of issues that can expose managed devices and administrative systems. Organizations using the affected on-premises product may need to patch quickly and check whether credentials or hosts were previously compromised.