HIGH: Ivanti EPMM Zero-Day RCE Lands on CISA KEV With 850 Exposed Servers

Ivanti is back in the headlines, and if you have a sinking feeling about that sentence, you are not alone. The company disclosed CVE-2026-6973 this week, a high-severity remote code execution bug in its on-premises Endpoint Manager Mobile platform that is already being exploited in the wild. CISA wasted no time adding it to the Known Exploited Vulnerabilities catalog, giving Federal Civilian Executive Branch agencies until May 10, 2026 to patch. That is a brutally short clock, and it tells you everything you need to know about how seriously the U.S. government is taking the chatter coming out of incident response shops right now.

The flaw lives in EPMM, the on-prem mobile device management product that organizations use to push policies, certificates, and apps to fleets of corporate phones and tablets. At its core, CVE-2026-6973 is an improper input validation issue, the kind of unglamorous bug that has been driving exploits since the dawn of the web, and it allows an attacker who has already authenticated as an administrator to execute arbitrary code on the EPMM server. The CVSS v3.1 score lands at 7.2, which sounds modest until you remember what an MDM server actually controls. We are talking about the system that holds your enrollment certificates, your VPN profiles, your push tokens, and a fairly direct line into every managed mobile device in your environment. Pop that box and you do not just own a server, you own the keys to whatever rides on top of it.

Ivanti has confirmed that exploitation is happening, though they are characterizing it as limited. Their language was careful, noting they are aware of a very limited number of customers exploited with CVE-2026-6973 and that successful attacks require admin authentication. That second part matters. This is not a pre-auth internet-scanner kind of bug where some teenager with a Shodan query and a Python script can mass-pwn the world before lunch. This is a post-exploitation amplifier, the kind of weapon that gets bolted onto an existing intrusion to turn a credential theft into a full server compromise. The unknown attackers behind these campaigns clearly already had admin credentials before they swung this hammer, which raises an obvious and uncomfortable question. How did they get those credentials in the first place.

The likely answer points right back at Ivanti's own bumpy 2026. Back in January, the vendor disclosed CVE-2026-1281 and CVE-2026-1340, both of which were exploitable in ways that put administrative credentials at risk. Ivanti issued a strong recommendation at the time that customers rotate credentials. Now they are telling anyone who actually followed that guidance that the risk from the new flaw is significantly reduced for them. Translation, organizations that ignored the credential rotation advice four months ago are very probably the ones getting hit today. There is a depressing pattern here, where one Ivanti vulnerability hands attackers the keys, the customer never changes the locks, and a later vulnerability lets those attackers walk right back in through a different door using the same set of keys.

Affected versions include EPMM 12.8.0.0 and everything older. The fixes ship in 12.6.1.1, 12.7.0.1, and 12.8.0.1, and they are available now from Ivanti's customer portal. Crucially, the bug only touches the on-prem deployment of EPMM. Customers running Ivanti Neurons for MDM, the cloud-hosted equivalent, are not exposed, and the issue does not apply to Ivanti EPM, Ivanti Sentry, or the rest of the Ivanti portfolio. If you run on-prem EPMM, you have a patch to apply. If you run Neurons for MDM, take a small victory and move on with your day.

The exposure picture is sobering. Shadowserver currently tracks over 850 EPMM instances reachable from the public internet, with 508 of them sitting in Europe and 182 in North America. Patch adoption among that population is unknown, but if past Ivanti incidents are any indicator, we should assume a long tail of unpatched boxes will linger for months. EPMM is the kind of product that gets installed once and then quietly forgotten by everyone except the attacker who eventually finds it. It runs on internal infrastructure, the team that owns it has usually moved on to other things, and the original deployment engineer left the company two reorgs ago. That is exactly the kind of asset that ends up as patient zero in a breach narrative.

Ivanti also patched four other flaws in the same advisory, and while the headline belongs to CVE-2026-6973, the supporting cast is worth a look. CVE-2026-5786, scored at 8.8, is an improper access control bug that hands administrative privileges to an attacker who can chain it. CVE-2026-5787 at 8.9 is a certificate validation problem that lets an attacker impersonate the Ivanti Sentry host, which is the gateway component that actually proxies device traffic. CVE-2026-5788 at 7.0 is another access control bug that allows arbitrary method invocation, the kind of thing that can quietly turn into RCE if combined with the right gadget. CVE-2026-7821 at 7.4 is a certificate validation flaw that touches device enrollment. None of those four are reported as exploited yet. That word yet is doing a lot of work, because researchers and adversaries are now reading the same advisory and the chain potential between these bugs is going to be obvious to anyone who has worked in this space for a season.

For defenders, the playbook starts with patching to 12.6.1.1, 12.7.0.1, or 12.8.0.1 depending on your branch, and treating it as a same-day operation rather than a regularly scheduled change window. Beyond the patch, assume the worst about credential hygiene. If your EPMM admin accounts have not been rotated since the January advisories, rotate them now and rotate any service accounts the platform uses to talk to LDAP, certificate authorities, or backend databases. Pull authentication logs for the EPMM admin console going back at least ninety days and look for sessions originating from IPs you cannot account for, sessions occurring outside business hours, or any successful logins that lack a corresponding MFA event. If your EPMM is reachable from the internet without a VPN or zero-trust gateway in front of it, fix that today, because there is no good reason for an MDM administrative interface to be hanging off a public IP in 2026. On the detection side, hunt for unexpected child processes spawned by EPMM service accounts, unusual outbound connections from the EPMM server, and any new local accounts or scheduled tasks created on the host. Threat hunters should also pay attention to lateral movement away from the EPMM box, particularly toward identity infrastructure and certificate stores, because that is where the valuable secondary loot lives.

There is a wider lesson in this incident that goes beyond Ivanti. Mobile device management platforms have quietly become some of the most privileged systems in the modern enterprise, and yet they often get treated like a piece of IT plumbing rather than a tier-zero asset. An attacker who controls your MDM can push a malicious profile to every executive phone in the company, harvest VPN certificates, redirect mail traffic, and stage further intrusions through the very mechanisms designed to keep mobile devices safe. Treating EPMM, Intune, Workspace ONE, or any other MDM as critical infrastructure, with the same scrutiny you give your domain controllers, is no longer optional. The adversaries figured this out years ago. The defender side of the industry is still catching up.

For the MSP and security service provider crowd, this advisory is a layup of a sales conversation. Any client running on-prem EPMM should be getting a phone call this week, framed around emergency patch validation, post-patch credential rotation, and a one-time threat hunt for indicators of prior compromise. That last piece is genuinely valuable, because patching does not undo what an attacker may have already done if they were inside before May. There is also an obvious upsell into ongoing vulnerability management, dark web credential monitoring for the customer's domain, and a managed detection service tuned for MDM and identity infrastructure abuse. The clients who got bitten by Ivanti in January and again in May are the ones who never invested in those services. The ones who did are the ones quietly sleeping through this news cycle. Make that contrast the centerpiece of your next QBR and watch the conversation change.