Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation – Admin Access

Ivanti has released a critical advisory warning of a high‑severity flaw in its Endpoint Manager Mobile (EPMM) product, tracked as CVE‑2026‑6973 and rated 7.2 on the CVSS scale. The vulnerability enables remote code execution (RCE) by exploiting insufficient input validation in the device‑enrollment API, allowing an unauthenticated attacker to issue commands that run with SYSTEM‑level privileges on the EPMM server. Ivanti’s internal threat‑hunting team discovered the flaw after spotting anomalous traffic directed at the /api/v1/device endpoint.

Technical analysis shows that the flaw resides in the handling of the device‑ID parameter during the enrollment request. By embedding a specially crafted payload containing OS‑level commands, an attacker can trigger a shell that executes under the context of the EPMM service account, which is granted extensive permissions on the host. The CVSS vector is AV:N/AC:L/U:N/S:C/C:H/I:H/A:H, confirming remote exploitability with no authentication required and a resulting admin‑level foothold that can be leveraged for lateral movement, credential theft, or deployment of additional payloads.

Ivanti reports limited, targeted exploitation primarily against financial and healthcare organizations. The vendor has already shipped patch version 22.7.1 for EPMM, which remediates the input‑validation weakness. In the interim, administrators are advised to restrict the management interface to trusted IP ranges, enforce multi‑factor authentication for admin accounts, and monitor logs for Indicators of Compromise such as unusual base64‑encoded strings or patterns resembling “${jndi:}”. A temporary mitigation is to disable the device‑enrollment API and apply a web‑application‑firewall rule that blocks malicious request patterns.

The active exploitation of CVE‑2026‑6973 underscores a broader trend of adversaries targeting mobile‑device‑management (MDM) solutions for persistent access. Security researchers compare the flaw to earlier MDM vulnerabilities disclosed in 2024, emphasizing the need for rigorous patch‑management cycles and continuous monitoring. Organizations using Ivanti EPMM should consult the vendor’s advisory (Ivanti SA‑2026‑001) for the full list of IOCs and apply the latest firmware updates without delay.