Zero‑Day Remote Code Execution in Ivanti Endpoint Manager Mobile (CVE‑2026‑6973) Threatens Enterprise Mobile Management
What It Is – Ivanti disclosed five high‑severity flaws in its Endpoint Manager Mobile (EPMM) suite; CVE‑2026‑6973 is an input‑validation bug that lets a remote attacker with administrative credentials execute arbitrary code on the management server.
Exploitability – The vulnerability is being weaponised in the wild as a zero‑day. A limited but confirmed set of customers have been compromised. CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – Ivanti Endpoint Manager Mobile (EPMM) versions prior to the May 2026 security patch.
TPRM Impact – Because EPMM is a core component for managing thousands of corporate mobile devices, a breach can cascade to downstream vendors, SaaS integrations, and any organization that outsources its mobile‑device‑management (MDM) to Ivanti.
Recommended Actions –
- Immediately apply Ivanti’s May 2026 security patches for all EPMM instances.
- Conduct a rapid inventory of all third‑party services that rely on Ivanti EPMM APIs and verify they are patched.
- Review privileged‑account usage on EPMM servers; enforce MFA and least‑privilege principles.
- Initiate threat‑hunt queries for indicators of compromise (IoCs) associated with the known exploit.
- Update third‑party risk registers to flag Ivanti as a high‑risk supplier until remediation is confirmed.
Source: Help Net Security – Ivanti EPMM vulnerability exploited in zero‑day attacks (CVE‑2026‑6973)