Ivanti EPMM Remote Code Execution Added to CISA KEV After Exploitation

Defenders should validate whether the affected product exists in their environment, prioritize exposed systems, and apply the confirmed vendor or project guidance listed below. Where a fixed version is not confirmed by the reviewed sources, treat exposure reduction and access restriction as the immediate control.

Summary

CVE-2026-6973 is relevant for vulnerability managers, SOC teams, system administrators, and security engineers responsible for Ivanti Endpoint Manager Mobile. The operational risk depends on exposure, privileges required, and whether the affected component is reachable by untrusted users.

This article only uses details supported by the listed sources. It does not claim active exploitation, patch availability, affected versions, fixed versions, or indicators of compromise unless those details are explicitly confirmed in the reviewed sources.

What happened

Public vulnerability records and advisories documented CVE-2026-6973 affecting Ivanti Endpoint Manager Mobile. The most important confirmed point is: Ivanti EPMM contains an improper input validation vulnerability that allows a remotely authenticated administrative user to achieve remote code execution. NVD confirms the CVE is in CISA KEV.

Affected products

Technical details

The NVD/Tenable descriptions state the issue affects EPMM before 12.6.1.1, 12.7.0.1, and 12.8.0.1. The attack requires remote authentication with administrative access.

No exploit code, weaponized payloads, or step-by-step exploitation details are included here.

Exploitation status

CISA KEV lists this CVE and NVD states it is in the catalog. Public reporting says limited exploitation has been observed.

Public exploit availability does not automatically mean confirmed real-world exploitation. Active exploitation is stated only where the cited sources explicitly confirm it.

Impact

Successful exploitation could affect confidentiality, integrity, or availability depending on the product and deployment. For cloud and hosted-service records, the reviewed sources may not provide customer-controlled version ranges. For local privilege escalation issues, the attacker generally needs local access first unless the source says otherwise.

Defender guidance

Prioritize internet-facing and business-critical deployments first. Confirm the installed version, review exposure, reduce access to trusted networks, and apply the confirmed fixed release or vendor mitigation. Where authentication is required, review privileged accounts and recent administrative actions.

For web application issues, review request logs, database errors, authentication events, and suspicious administrative activity. For endpoint and kernel issues, review EDR telemetry, local privilege escalation signals, abnormal process ancestry, and recent crashes.

Detection and hunting notes

The reviewed sources do not provide trusted IOCs for this item unless stated below.

Hunt for behavior consistent with the vulnerability class rather than relying only on static IOCs. Examples include unexpected administrative actions, abnormal service crashes, unusual database queries, unauthorized file access, or privilege changes.

Mitigation

Apply Ivanti fixed versions immediately. Review administrative accounts, EPMM logs, unexpected package/configuration changes, and internet exposure of management interfaces.

If a vendor patch is not confirmed, do not assume a fix exists. Use exposure reduction, access control, monitoring, and compensating controls until the maintainer publishes verified guidance.

Timeline

Bottom line

CVE-2026-6973 should be triaged based on exposure, privilege requirements, and the affected product’s role in the environment. Patch where a fixed version is confirmed; otherwise reduce exposure and monitor until reliable vendor guidance is available.