[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2026-6973 : Active Exploitation of Ivanti EPMM

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Thu May 7 11:21:54 PDT 2026 

 Good morning-

The SOC Services team is reporting on the vulnerability CVE-2026-6973: Active Exploitation of Ivanti EPMM, specifically impacting on-premises Ivanti Endpoint Manager Mobile (formerly MobileIron Core) installations. Cloud-based 'Ivanti Neurons for MDM' and other Ivanti products like Sentry or EPM are not affected. Because this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following confirmed zero-day exploitation targeting high-value organizational infrastructure, we are providing this in-depth information.

History: Disclosed by Ivanti on May 7, 2026, as an actively exploited zero-day vulnerability discovered in the wild. The CVSS v3.x base score is 7.2 (HIGH).
Affected Versions

  *   Ivanti EPMM 12.8.0.0 and earlier

Fixed Versions

  *   Ivanti EPMM 12.6.1.1
  *   Ivanti EPMM 12.7.0.1
  *   Ivanti EPMM 12.8.0.1

Ivanti Endpoint Manager Mobile (EPMM) is a unified endpoint management platform used to secure and manage mobile devices across an enterprise

Vendor Advisory: Security Advisory: Ivanti EPMM May 2026 Vulnerabilities<https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-EPMM-May-2026>

Intelligence: On May 7, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Not publicly disclosed (Private PoC used by threat actors)
Zero Day: Yes

Workarounds: Disable or restrict access to the EPMM admin portal from the public internet; Enable Multi-Factor Authentication (MFA) for all administrative accounts; Rotate all administrative credentials immediately if exploitation is suspected
How it Works: The vulnerability stems from Improper Input Validation (CWE-20) within the EPMM core management interface. An attacker who has obtained administrative credentials can bypass internal validation checks to inject malicious commands into the underlying system shell. This is often achieved by sending specifically crafted HTTP requests to the admin API that are not properly sanitized before being passed to system-level execution functions
Post-Exploit Impact:

  *   Full system compromise and execution of arbitrary OS commands with root privileges (CWE:CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
  *   Unauthorized access to managed device data and potential deployment of malicious profiles to mobile endpoints (CWE:CWE-20: Improper Input Validation)

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Log Entry
Check for unusual POST requests to /mifs/services/ and /mifs/api/ emanating from unknown IP addresses
Inbound administrative traffic from non-standard or external locations
Ivanti Incident Response Guide
Account Activity
New Administrative User Creation
Detection of local admin accounts or API keys created without corresponding change tickets
Ivanti Security Advisory
Tenable Plugins: As of the release of this Vulnerability Notification, Tenable has not published any plugins for this CVE
Recommended Actions:

Date Added to KEV Catalog: May 7, 2026
Due Date for Remediation: May 28, 2026

  *   Upgrade all on-premises EPMM instances to fixed versions (12.6.1.1, 12.7.0.1, or 12.8.0.1) immediately
  *   Verify that the EPMM admin interface is only accessible via a secure VPN or internal management subnet
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCDE10.D27F66C0] [cid:image002.png at 01DCDE10.D27F66C0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260507/62510354/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 32625 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260507/62510354/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260507/62510354/attachment-0003.png>

More information about the CDP-development mailing list