{"id":847,"date":"2026-05-07T18:54:42","date_gmt":"2026-05-07T18:54:42","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=847"},"modified":"2026-05-07T18:54:42","modified_gmt":"2026-05-07T18:54:42","slug":"ivanti-epmm-cve-2026-6973-rce-under-active-exploitation-grants-admin-level-access","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=847","title":{"rendered":"Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 07, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Network Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiX-v9Rdn-UppGqdbm0oFYXNg6myRCPn8r-d4BXVN0e2r2hqrYbGPUwOKafMbwKlojjbck4C8Ez6dxZ7WcLF45PNphvCo1K4OGhXl0u9fWanVMbO62iZoWMQJrplTa6VaXfI2rhQL40PoDK0ZNh2jqDJGBc9LylbIE92LWSNEIkVUhSpkGyAfV7g-DVZlU1\/s1700-e365\/ivanti.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild.<\/p>\n<p>The high-severity vulnerability, <strong>CVE-2026-6973<\/strong> (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.<\/p>\n<p>It allows \u00aba remotely authenticated user with administrative access to achieve remote code execution,\u00bb Ivanti <a href=\"https:\/\/hub.ivanti.com\/s\/article\/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US\">said<\/a> in an advisory released today.<\/p>\n<p>\u00abWe are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti&#8217;s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced.\u00bb<\/p>\n<p>It&#8217;s currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to <a href=\"https:\/\/www.cisa.gov\/news-events\/alerts\/2026\/05\/07\/cisa-adds-one-known-exploited-vulnerability-catalog\">add<\/a> the flaw to its Known Exploited Vulnerabilities (<a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\">KEV<\/a>) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026.<\/p>\n<p>Also patched by Ivanti in EPMM are four other flaws &#8211;<\/p>\n<ul>\n<li><strong>CVE-2026-5786<\/strong> (CVSS score: 8.8) &#8211; An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access.<\/li>\n<li><strong>CVE-2026-5787<\/strong> (CVSS score: 8.9) &#8211; An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.<\/li>\n<li><strong>CVE-2026-5788<\/strong> (CVSS score: 7.0) &#8211; An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods.<\/li>\n<li><strong>CVE-2026-7821<\/strong> (CVSS score: 7.4) &#8211; An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.<\/li>\n<\/ul>\n<p>\u00abThe issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti&#8217;s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products,\u00bb the company <a href=\"https:\/\/www.ivanti.com\/blog\/may-2026-epmm-security-update\">said<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 07, 2026Vulnerability \/ Network Security Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The&hellip;<\/p>\n","protected":false},"author":1,"featured_media":848,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[130,64,1568,1566,1565,65,1567,543,316],"class_list":["post-847","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-access","tag-active","tag-adminlevel","tag-cve20266973","tag-epmm","tag-exploitation","tag-grants","tag-ivanti","tag-rce"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=847"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/847\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/848"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}