HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Zero-Day in Ivanti Endpoint Manager Mobile (CVE-2026-6973) Added to CISA KEV Catalog, Actively Exploited

CISA has listed a high‑severity zero‑day (CVE‑2026‑6973) in Ivanti Endpoint Manager Mobile in its Known Exploited Vulnerabilities catalog. The flaw allows admin‑authenticated attackers to execute arbitrary code on devices running EPMM 12.8.0.0 and earlier, prompting urgent patching for all third‑party risk‑managed environments.

LiveThreat™ Intelligence · 📅 May 08, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Zero‑Day in Ivanti Endpoint Manager Mobile (CVE‑2026‑6973) Threatens Mobile Endpoint Management

What It Is — Ivanti Endpoint Manager Mobile (EPMM) versions 12.8.0.0 and earlier contain an input‑validation flaw (CVE‑2026‑6973) that lets an attacker with administrative credentials execute arbitrary code on managed devices. The vulnerability carries a CVSS 7.1 rating and is classified as a high‑severity zero‑day.

Exploitability — CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms limited but active exploitation in the wild. Exploits require valid admin authentication, but successful exploitation yields full code execution on the endpoint.

Affected Products — Ivanti Endpoint Manager Mobile 12.8.0.0 and earlier (mobile‑only UEM). Patched releases: 12.6.1.1, 12.7.0.1, 12.8.0.1. The flaw does not affect Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti solutions.

TPRM Impact — Organizations that rely on Ivanti EPMM to manage corporate smartphones and tablets face a supply‑chain risk: a compromised endpoint can become a foothold for lateral movement, data exfiltration, or ransomware deployment across the enterprise network. Federal agencies must remediate by May 10 2026, and private firms are urged to follow suit to avoid regulatory penalties and operational disruption.

Recommended Actions

  • Inventory all endpoints managed by Ivanti EPMM and verify the installed version.
  • Patch immediately to 12.6.1.1, 12.7.0.1, or 12.8.0.1; verify patch deployment via a trusted update channel.
  • Enforce strong admin credential hygiene – multi‑factor authentication, least‑privilege admin accounts, and regular password rotation.
  • Monitor for Indicators of Compromise (IoCs) associated with known exploit attempts (e.g., unusual admin‑level process launches, outbound connections from managed devices).
  • Validate compliance with CISA KEV directives and document remediation for audit purposes.
  • Consider interim mitigations such as network segmentation of mobile devices and disabling unnecessary remote admin functions until patches are applied.

Source: SecurityAffairs – U.S. CISA adds a flaw in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalog

📰 Original Source
https://securityaffairs.com/191822/security/u-s-cisa-adds-a-flaw-in-ivanti-endpoint-manager-mobile-epmm-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →