CISA added CVE-2026-6973 to the Known Exploited Vulnerabilities catalog on 2026-05-07, confirming active exploitation of an improper input validation flaw in Ivanti Endpoint Manager Mobile (EPMM) that lets an authenticated admin achieve remote code execution.
What Is It
CVE-2026-6973 is an improper input validation vulnerability (CWE-20) in Ivanti Endpoint Manager Mobile. Per NVD, the flaw "allows a remotely authenticated user with administrative access to achieve remote code execution." It carries a CVSS 3.1 base score of 7.2 (HIGH), vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, but requiring high privileges, with full confidentiality, integrity, and availability impact.
Why It Matters
CISA added the CVE to KEV on 2026-05-07 with a federal remediation due date of 2026-05-10; a three-day window, which signals urgency. KEV inclusion confirms exploitation has been observed in the wild. Known ransomware campaign use is listed as "Unknown." EPMM sits at the center of mobile device management for many enterprises; admin-level RCE on that surface gives an attacker a direct path into managed-device fleets and the credentials/configurations EPMM holds. The "high privileges required" rating limits unauthenticated mass exploitation, but admin credential theft, session hijack, or insider misuse all turn this into a full takeover primitive.
What's Vulnerable
Per the NVD CPE configuration, Ivanti Endpoint Manager Mobile is vulnerable in:
- All versions before 12.6.1.1
- 12.7.0.0
- 12.8.0.0
Fixed versions are 12.6.1.1, 12.7.0.1, and 12.8.0.1.
Patch Status
Ivanti published a May 2026 Security Advisory covering this CVE and others; patched releases 12.6.1.1, 12.7.0.1, and 12.8.0.1 are available. CISA's required action: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." Federal due date was 2026-05-10; any unpatched EPMM instance is now past the BOD 22-01 deadline.