CVE-2026-6973
📛 CVE Title
CVE-2026-6973
Description
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 7.2 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H- Effective score
- 7.2 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-20 - Reserved
- 2026-04-24
- Published
- 2026-05-07 15:21 UTC
- Last updated
- 2026-05-08 03:55 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/6xxx/CVE-2026-6973.json
- Linked Threat
- CVE-2026-6973 — Ivanti Endpoint Manager Mobile (EPMM): Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
CISA Known Exploited Vulnerabilities CISA KEV
CISA has confirmed in-the-wild exploitation of this CVE. Federal agencies must remediate by the due date below; private orgs should treat it as priority-1.
- Vulnerability name
- Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
- Vendor / project
- Ivanti
- Product
- Endpoint Manager Mobile (EPMM)
- Date added to KEV
- 2026-05-07
- Remediation due
- 2026-05-10
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Ransomware campaign use
- Unknown
- CISA notes
- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2026-6973
- CISA listing
- www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2026-05-07 16:16:23 UTC
- NVD last modified
- 2026-05-07 19:18:39 UTC
- NVD CVSS v3.1
- 7.2 / 10 HIGH source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H- Exploitability subscore
- 1.2 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.0491 (probability of exploitation in next 30 days)
- EPSS percentile
- 89.72% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24
NVD / KEV / EPSS data refreshed 2026-05-25 02:08 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2026-28396 - Assigner
- ivanti
- Published
- May 7, 2026, 3:21:24 PM
- Updated
- May 8, 2026, 3:55:38 AM
- EUVD base score (CVSS 3.1)
-
7.2 / 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 4.9100
- Vendors
- Ivanti
- Products
-
Endpoint Manager Mobile (patch: 12.8.0.1)Endpoint Manager Mobile (patch: 12.6.1.1)Endpoint Manager Mobile (patch: 12.7.0.1)
ENISA description: An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Endpoint Manager Mobile |
12.6.1.1 (unaffected),
12.7.0.1 (unaffected),
12.8.0.1 (unaffected)
|
— |
Affected products — CPE 2.3 (3) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager_mobile:12.7.0.0:*:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager_mobile:12.8.0.0:*:*:*:*:*:*:*
Remediations (9)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:www.cisa.gov
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-6973
2026-05-14 06:47 UTC -
web:dailysecurityreview.com
Ivanti's Recommended Remediation Steps Ivanti has provided mitigations for CVE-2026-6973 and directed customers to apply the available patches without delay. Organizations running affected versions should prioritize updating to a non-vulnerable release.
2026-05-14 06:47 UTC -
web:msrc.microsoft.com
Security Update Guide - Microsoft Security Response Center
2026-05-14 06:47 UTC -
web:nvd.nist.gov
An official website of the United States government NVD MENU
2026-05-14 06:47 UTC -
web:socradar.io
That shifts the likely real-world paths to exploitation away from broad internet scanning and toward credential abuse or privilege gain inside an environment. In the same patch cycle, Ivanti also addressed other EPMM issues (including access control and certificate validation problems), but CVE-2026-6973 itself is framed as an authenticated admin-to-RCE condition.
2026-05-14 06:47 UTC -
web:threatprotect.qualys.com
Ivanti mentioned in their advisory that they are "aware of a very limited number of customers exploited with CVE-2026-6973 ." CISA also acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerability before May 10, 2026 .
2026-05-14 06:47 UTC -
web:www.aigovhub.io
CISA has mandated that US federal agencies patch a critical Ivanti EPMM vulnerability ( CVE-2026-6973 ) within four days. This guide covers affected systems, patching steps, verification, reporting, and how to integrate with broader compliance frameworks like NIS2, DORA, and SOC 2.
2026-05-14 06:47 UTC -
web:app.opencve.io
Remediation No vendor fix or workaround currently provided. OpenCVE Recommended Actions Update Ivanti Endpoint Manager Mobile to the latest available version that addresses the input validation flaw. If an immediate patch is unavailable, disable or tightly restrict remote administrative access until the update can be applied.
2026-05-14 06:47 UTC -
CISA KEV
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-05-10 Known ransomware campaign use: Unknown
2026-05-14 01:13 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (16)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- https://www.proofpoint.com/us/blog/threat-insight/more-cves-same-playbook-2026-vulnerability-exploitation-wild tenable:www.proofpoint.com
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-6973 rapid7:forums.ivanti.com
- https://attackerkb.com/topics/CVE-2026-6973 rapid7:attackerkb.com
- https://nvd.nist.gov/vuln/detail/CVE-2026-6973 tenable:nvd.nist.gov
- https://securityaffairs.com/191822/security/u-s-cisa-adds-a-flaw-in-ivanti-endpoint-manager-mobile-epmm-to-its-known-exploited-vulnerabilities-catalog.html tenable:securityaffairs.com
- https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html tenable:thehackernews.com
- https://www.bleepingcomputer.com/news/security/cisa-gives-feds-four-days-to-patch-ivanti-flaw-exploited-as-zero-day/ tenable:www.bleepingcomputer.com
- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-epmm-flaw-exploited-in-zero-day-attacks/ tenable:www.bleepingcomputer.com
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973 tenable:www.cisa.gov
- https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog tenable:www.cisa.gov
- https://www.cve.org/CVERecord?id=CVE-2026-6973 tenable:www.cve.org
- https://www.first.org/epss/ tenable:www.first.org
- https://www.ivanti.com/blog/may-2026-epmm-security-update tenable:www.ivanti.com
- https://www.securityweek.com/ivanti-patches-epmm-zero-day-exploited-in-targeted-attacks/ tenable:www.securityweek.com
- https://cyberscoop.com/ivanti-epmm-zero-day-vulnerability-exploited/ tenable:cyberscoop.com
- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US tenable:hub.ivanti.com
NVD-tagged references (2)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 PatchVendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973 134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
Indicators (2)
IOCs linked to the auto-promoted Threat row.
| Type | Value | VirusTotal | Attached |
|---|---|---|---|
| cve |
CVE-2026-6973
|
no local data | 2026-05-14 02:58 UTC |
| cwe |
CWE-20
|
no local data | 2026-05-14 02:58 UTC |
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-6973.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6973",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-07",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:55:38.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-6973"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T00:00:00.000Z",
"value": "CVE-2026-6973 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Endpoint Manager Mobile",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "12.6.1.1"
},
{
"status": "unaffected",
"version": "12.7.0.1"
},
{
"status": "unaffected",
"version": "12.8.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution. "
}
],
"value": "An Improper Input Validation in Ivanti EPMM\u00a0before\u00a0versions 12.6.1.1, 12.7.0.1, and 12.8.0.1\u00a0allows\u00a0a remotely authenticated user with\u00a0administrative access to achieve remote code execution."
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper input validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T15:21:24.849Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2026-6973",
"datePublished": "2026-05-07T15:21:24.849Z",
"dateReserved": "2026-04-24T17:57:36.236Z",
"dateUpdated": "2026-05-08T03:55:38.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}