Ivanti EPMM Authenticated Remote Code Execution Vulnerability Exploited

Ivanti has released security updates to address multiple vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The most critical vulnerability, CVE-2026-6973, is an improper input validation issue that allows an authenticated attacker with administrative access to execute arbitrary code remotely. Ivanti is aware of a limited number of customers being actively exploited via CVE-2026-6973. Successful exploitation could lead to data breaches, system compromise, and operational downtime. This vulnerability, along with CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821, affects Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1. It is believed that administrative credentials used to exploit CVE-2026-6973 were obtained through previous exploitation of CVE-2026-1340.

Attack Chain

1. Initial compromise via CVE-2026-1340, allowing attackers to gain administrative credentials.
2. Attacker authenticates to the Ivanti EPMM administrative interface.
3. Exploitation of CVE-2026-6973 through crafted requests to the server.
4. Improper input validation allows the attacker to inject malicious code.
5. The injected code is executed within the context of the EPMM server.
6. Attacker gains remote code execution on the EPMM server.
7. Attacker leverages the compromised server to access sensitive data.
8. Exfiltration of sensitive data and potential deployment of malware.

Impact

Successful exploitation of CVE-2026-6973 can lead to data breaches, system compromise, and operational downtime. A limited number of customers have reportedly been affected. The compromised EPMM server can be used as a pivot point to access other systems within the network, potentially impacting the confidentiality, integrity, and availability of critical business operations. Other vulnerabilities such as CVE-2026-5787 allow impersonation of Sentry hosts and obtaining valid CA-signed client certificates.

Recommendation

• Apply the security updates provided by Ivanti to patch CVE-2026-6973, CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821 in Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
• Review accounts with administrative rights on Ivanti EPMM and rotate credentials where necessary, as recommended by the vendor.
• Monitor web server logs for suspicious activity indicative of CVE-2026-6973 exploitation. Deploy the provided Sigma rule to detect potential exploitation attempts.
• Investigate and remediate any potential compromises resulting from the exploitation of CVE-2026-1340, if present, as a potential source of compromised credentials.