CVE-2026-6973 in Ivanti EPMM: Actively Exploited RCE Added to CISA KEV Catalog

📅 May 08, 2026 🔴 Exploit Risk: 0.200 📊 Intelligence Score: 56/100 📰 2 sources synthesized

TL;DR — Read this first

CVE-2026-6973 is a remote code execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core.
CONFIRMED exploitation in the wild. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 7, 2026.
Immediate action required. Prioritize investigation of exposed EPMM instances for signs of compromise and prepare for immediate patching upon availability.

Intelligence Metadata

First Reported Bycisa.gov

Outbreak Velocity65 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS ScoreNot available

EPSS ScoreNot available

CISA KEV StatusConfirmed

Exploit Risk Score0.200

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-6973 is a remote code execution vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). According to REPORTED information, successful exploitation grants an attacker administrative-level access to the affected system. The specific vulnerability class and attack vector have not been publicly disclosed by the vendor or CISA. However, its inclusion in the KEV catalog and the high-impact outcome (RCE with admin privileges) INFER that the vulnerability is likely exploitable by an unauthenticated remote attacker against internet-facing EPMM servers.

The absence of a CVSS score from NIST or a vendor advisory at the time of the KEV entry suggests this is a zero-day vulnerability that was exploited before a patch was developed or widely communicated. The primary threat is a complete takeover of the mobile device management platform, which can serve as an ingress point for lateral movement into the broader corporate network and compromise of all managed mobile devices.

Affected Systems

Vendor: Ivanti

Affected Versions:

Ivanti Endpoint Manager Mobile (EPMM)

Exposure: Publicly facing EPMM servers are the primary attack surface.

Blast Radius: High. Compromise of an EPMM server could lead to control over all enrolled mobile devices, access to sensitive data, and a pivot point into the internal network.

Intelligence Context

The defining characteristic of CVE-2026-6973 is its status as a CISA KEV entry without an associated public CVSS or EPSS score. This is a strong signal of a zero-day vulnerability under active exploitation. The 'ZERO-DAY RACE' label accurately reflects the situation where defenders must react to confirmed attacks before full technical details or patches are available. The CISA KEV entry is the most critical data point for prioritization, overriding the lack of other quantitative metrics. Organizations must treat this vulnerability as a critical threat based on the CONFIRMED evidence of exploitation in the wild.

Remediation & Defense

Investigate exposed assets immediately for signs of compromise. Apply patches as soon as they are released by Ivanti. Federal agencies are required to remediate by the date specified in the KEV catalog.

Patch Status: Not available

Patch Version: Not available

Workarounds:

No official workarounds have been published. Consider restricting access to the EPMM management interface to trusted IP addresses if operationally feasible.

Detection Hints:

Monitor EPMM web server logs for unusual or malformed requests.
Inspect EPMM systems for unexpected processes, outbound network connections, or newly created administrative accounts.

Source Timeline

cisa.gov — First reporter
thehackernews.com — Technical context
nvd.nist.gov — Official CVE record

CVE-2026-6973 Ivanti EPMM RCE KEV Zero-Day