Attack Chain

1. Initial compromise via CVE-2026-1340, allowing attackers to gain administrative credentials.
2. Attacker authenticates to the Ivanti EPMM administrative interface.
3. Exploitation of CVE-2026-6973 through crafted requests to the server.
4. Improper input validation allows the attacker to inject malicious code.
5. The injected code is executed within the context of the EPMM server.
6. Attacker gains remote code execution on the EPMM server.
7. Attacker leverages the compromised server to access sensitive data.
8. Exfiltration of sensitive data and potential deployment of malware.

Impact

Successful exploitation of CVE-2026-6973 can lead to data breaches, system compromise, and operational downtime. A limited number of customers have reportedly been affected. The compromised EPMM server can be used as a pivot point to access other systems within the network, potentially impacting the confidentiality, integrity, and availability of critical business operations. Other vulnerabilities such as CVE-2026-5787 allow impersonation of Sentry hosts and obtaining valid CA-signed client certificates.

Recommendation

• Apply the security updates provided by Ivanti to patch CVE-2026-6973, CVE-2026-5786, CVE-2026-5787, CVE-2026-5788 and CVE-2026-7821 in Ivanti EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
• Review accounts with administrative rights on Ivanti EPMM and rotate credentials where necessary, as recommended by the vendor.
• Monitor web server logs for suspicious activity indicative of CVE-2026-6973 exploitation. Deploy the provided Sigma rule to detect potential exploitation attempts.
• Investigate and remediate any potential compromises resulting from the exploitation of CVE-2026-1340, if present, as a potential source of compromised credentials.