Ivanti disclosed an actively exploited remote code execution vulnerability in its Endpoint Manager Mobile product, with the Cybersecurity and Infrastructure Security Agency adding the flaw to its Known Exploited Vulnerabilities catalog and issuing a mandatory May 10, 2026, remediation deadline for federal agencies. CVE-2026-6973 affects EPMM version 12.8.0.0 and all earlier releases.
CVE-2026-6973: Authenticated RCE Grants Admin-Level Access to EPMM Systems
The vulnerability is classified as an improper input validation flaw carrying a CVSS score of 7.2. Exploitation requires authenticated access — specifically administrative credentials — but successful exploitation grants attackers the ability to execute arbitrary code on the underlying EPMM system with admin-level privileges. In mobile device management environments, that level of access can translate into broad control over managed endpoints, including the ability to push policy changes, wipe devices, or access credentials and configuration data stored within the platform.
Ivanti confirmed the flaw is being actively exploited in the wild, though the company did not specify the volume of confirmed compromises or identify the threat actors responsible for exploitation at the time of disclosure.
CISA Adds CVE-2026-6973 to KEV and Sets May 10 Federal Deadline
CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog on May 7, 2026, under Binding Operational Directive 22-01. Federal civilian executive branch agencies are required to remediate vulnerabilities in the KEV catalog by the specified deadline or discontinue use of the affected product. For CVE-2026-6973, that deadline is May 10, 2026 — leaving affected federal agencies a narrow window to apply mitigations.
CISA’s directive instructs organizations to apply vendor-supplied mitigations immediately or, where mitigation is not feasible, to cease using the affected product until a remediated version is available. The May 10 deadline applies specifically to federal civilian agencies, but CISA strongly encourages all organizations running Ivanti EPMM 12.8.0.0 or earlier to treat the advisory with equivalent urgency.
Ivanti EPMM’s Recurring Vulnerability History Raises Concerns
This is not the first time Ivanti EPMM has appeared in CISA’s KEV catalog as an actively exploited product. The platform, formerly known as MobileIron, has been the subject of multiple significant vulnerabilities in recent years, including CVE-2023-35078 — an authentication bypass exploited by state-sponsored actors — and a series of follow-on vulnerabilities disclosed in 2024.
Why Admin Credential Theft Makes CVE-2026-6973 High-Risk Despite Authentication Requirement
The authentication requirement for CVE-2026-6973 may appear to reduce the severity relative to unauthenticated flaws, but the practical risk in many enterprise environments remains high. Administrative credentials to EPMM systems are often stored in password managers, shared among IT staff, or embedded in automation scripts — making them accessible to attackers who have already achieved initial access through phishing, credential stuffing, or other means.
Furthermore, in environments where EPMM administrative access is not protected by multi-factor authentication, a credential compromise alone is sufficient to reach the vulnerable code path. The active exploitation status of this vulnerability suggests threat actors have already identified viable paths to the necessary credentials.
Scope of Affected Ivanti EPMM Deployments
Ivanti Endpoint Manager Mobile is used across enterprise and government environments to manage and enforce policy on mobile devices running iOS, Android, and other platforms. Organizations that have deployed EPMM for mobile device management — particularly those that have not kept the platform updated — should treat this disclosure as a high-priority remediation event.
Ivanti’s Recommended Remediation Steps
Ivanti has provided mitigations for CVE-2026-6973 and directed customers to apply the available patches without delay. Organizations running affected versions should prioritize updating to a non-vulnerable release. Where immediate patching is not operationally feasible, restricting administrative access to EPMM from trusted network segments only and enforcing multi-factor authentication on administrative accounts are the most impactful interim controls available.
The combination of active exploitation, a government-mandated remediation deadline, and Ivanti EPMM’s demonstrated history as a high-value target for sophisticated threat actors makes CVE-2026-6973 one of the most time-sensitive vulnerabilities requiring attention this week.
