Critical Remote Code Execution in Ivanti Endpoint Manager Mobile (CVE‑2026‑6973) Threatens Enterprise Mobile Management
What It Is — Ivanti disclosed a high‑severity remote code execution flaw (CVE‑2026‑6973) in Endpoint Manager Mobile (EPMM) that stems from improper input validation. An authenticated attacker with admin rights can execute arbitrary code on the management server.
Exploitability — Limited attacks have been observed in the wild; proof‑of‑concept code is publicly available. CVSS v3.1 base score 7.2 (High).
Affected Products — Ivanti Endpoint Manager Mobile versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1.
TPRM Impact — Organizations that outsource mobile device management to Ivanti or rely on third‑party MSPs using EPMM face a supply‑chain risk: a compromised EPMM server can be leveraged to pivot into corporate networks, exfiltrate data, or deploy malicious payloads to managed devices.
Recommended Actions
- Verify current EPMM version; upgrade immediately to 12.6.1.1, 12.7.0.1, or 12.8.0.1 or later.
- Review admin account usage; enforce least‑privilege and MFA for all privileged users.
- Conduct a focused threat‑hunt on EPMM logs for anomalous admin activity since the advisory date.
- Re‑assess third‑party risk contracts with Ivanti and any MSPs that host EPMM, adding clauses for timely patching and vulnerability disclosure.
- Update incident‑response playbooks to include a “Mobile MDM compromise” scenario.
Source: The Hacker News