← Back
Enterprise SaaS
CVE-2026-6973 CISA KEV high CVSS 7.2

[KEV] Vulnerability in Ivanti endpoint-manager-mobile-epmm (CVE-2026-6973)

Summary

vulnerability in Ivanti endpoint-manager-mobile-epmm (CVE-2026-6973). Risk of unauthorized operations or information disclosure. Listed in CISA KEV — actively exploited.

AI summary openai / gpt-4o

There is a security issue with Ivanti Endpoint Manager Mobile where an authenticated user can execute malicious code with administrative privileges. This poses a risk of system exploitation and data theft. Such vulnerabilities have led to serious incidents like data breaches in the past. It's crucial to check for vendor updates and apply security patches immediately.
CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing a remotely authenticated user to execute arbitrary code with administrative privileges. The specific versions and patches are currently unspecified; however, the attack vector likely involves HTTP-based code injection. As a workaround, monitor administrative access stringently and eliminate unnecessary privileges. Detection can involve reviewing HTTP logs for unusual administrative actions.
❓ What is the problem
Improper input validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing arbitrary code execution.
📍 Affected scope
Authored HTTP requests via unspecified methods on EPMM interfaces.
🔥 Severity
High severity due to potential for remote code execution with administrative privileges.
🔧 How to fix
Monitor for vendor-released patches and apply updates promptly.
🛡️ Workaround
Enforce strict oversight on admin access and reduce unnecessary privileges.
🔍 Detection
Review HTTP logs for anomalous admin activities.

Related past incidents Similar incidents extracted from past CVEs

CVE-2023-3263
This vulnerability in Ivanti software also allowed remote code execution through improper input validation.
CVE-2025-5022
Similar RCE vulnerability in another Ivanti product was exploited to gain system access.
CVE-2021-3164
An improper input validation in another system leading to RCE, showing the prevalence of such flaws.

If this happens at your company Expected impact per business scenario

📌 In enterprise environments using Ivanti EPMM
Attackers could fully compromise the mobile management system, impacting device security and administrative controls.
📌 For government agencies managing devices with EPMM
National security concerns as attackers might access sensitive data or disrupt mobile communications.
📌 In healthcare settings using EPMM for device management
Potential unauthorized access to patient records, leading to data privacy breaches.
Recommended action
Implement strict monitoring and rapidly apply any new security patches from Ivanti.

Response Actions (7 steps)

Concrete steps and command examples for SOC/SRE teams to execute in order

  1. 1
    Identify exposure identify
    grep -r 'endpoint-manager-mobile-epmm' . | grep -v node_modules

    リポジトリと本番環境の依存ファイル (package-lock.json / requirements.txt / go.sum / Gemfile.lock 等) で `endpoint-manager-mobile-epmm` を grep し、稼働しているサービス・バージョンを把握する。

  2. 4
    Consider incident declaration escalate
    Notify SOC / on-call

    CISA KEV登録済 = 実環境で悪用が観測されている。Step 3 で兆候があればインシデント対応宣言、無くてもパッチ適用までWAF強化を最優先で。

  3. 7
    Post-deployment verification verify
    Confirm patched version is live in production

    パッチ適用後、ステージングで PoC または同等の悪用パターンを再現して脆弱性が閉じたことを確認。本番では Step 3 と同じログクエリでアラート再発が無いか継続監視。

References

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →