Ivanti disclosed five vulnerabilities in Endpoint Manager Mobile (EPMM) on May 7, 2026. The lead flaw, CVE-2026-6973, was added to CISA's Known Exploited Vulnerabilities catalog on the same day. FCEB agencies have until May 10 to patch. If you manage EPMM on-premises, that deadline applies to you too, even if your organization is not a federal agency, because the KEV catalog reflects observed in-the-wild exploitation, not theoretical risk.
What CVE-2026-6973 actually does
CVE-2026-6973 is an improper input validation vulnerability in EPMM 12.8.0.0 and earlier. An authenticated attacker with administrative privileges can send crafted input to the server and execute arbitrary code. CVSS score: 7.2.
The "requires admin authentication" qualifier is important context but not a reason to deprioritize the patch. Ivanti products have a well-documented history of credential compromise before exploitation: attackers harvest credentials via phishing or prior breach, use them to authenticate with admin rights, and then detonate the RCE payload. The authentication requirement is a bar, not a wall.
Ivanti describes current exploitation as "very limited." In Ivanti's advisory history, that language typically signals a short window before mass-scanning begins. CVE-2026-22953 (EPMM, 2025) went from "very limited" to widely scanned in under a week.
The companion flaws are worse than the headline CVE
The same advisory covers four additional vulnerabilities:
- CVE-2026-5787: CVSS 8.9. Improper certificate validation. A remote attacker can intercept or modify EPMM communications.
- CVE-2026-5786: CVSS 8.8. Improper access control.
- CVE-2026-5788: CVSS 7.0. Improper access control.
- CVE-2026-7821: CVSS 7.4. Improper certificate validation.
CVE-2026-5787 at CVSS 8.9 is the highest-severity flaw in the bundle and has no KEV designation today, meaning it has not yet been observed in active exploitation. That could change. Patch the full bundle, not just the KEV headline.
Affected versions and fix
Affected: EPMM 12.8.0.0 and earlier. Fixed in: 12.6.1.1, 12.7.0.1, 12.8.0.1.
The cloud-based Ivanti Neurons for MDM is not affected. Neither are Ivanti EPM, Ivanti Sentry, or other Ivanti products.
What to do
- Patch to 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately.
- After patching, rotate credentials for all admin accounts. Ivanti explicitly recommends this step because the exploitation window before patching may have exposed credentials.
- Review admin account activity logs for any anomalous logins or API calls in the past 30 days.
- If you cannot patch before May 10, restrict EPMM admin portal access to trusted internal IP ranges as a temporary mitigation.
Why Ivanti keeps showing up in these alerts
Ivanti's MDM and VPN products are attractive targets because they sit at the intersection of three things attackers want: broad enterprise access, credential stores, and network edge positioning. EPMM manages mobile devices across an organization, which means it holds authentication tokens, email configurations, VPN profiles, and corporate Wi-Fi credentials for every device it manages. Compromising EPMM gives an attacker a persistent, legitimate-looking presence across the device fleet. That is the same structural reason Ivanti Connect Secure (ICS) and Policy Secure have been KEV regulars since 2024.
The pattern: disclose a vulnerability, describe exploitation as "very limited," watch mass scanning begin within days. The advisory language is not a reliable signal of actual risk level. CISA's same-day KEV addition is the more honest signal.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you manage Ivanti products or MDM infrastructure and want to talk through your patch posture.