Active Exploit Alert: Ivanti EPMM CVE-2026-6973 - Input Validation Gone Wrong
Just caught wind of a new vulnerability hitting Ivanti Endpoint Manager Mobile (EPMM) that is currently under active exploitation.
The flaw is tracked as CVE-2026-6973 (CVSS 7.2) and stems from improper input validation. It specifically impacts EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The technical caveat here is that the exploit allows a remotely authenticated user with administrative access to achieve remote code execution. While that prerequisite might lower the panic level slightly compared to an unauth bypass, Ivanti's confirmation of "limited attacks in the wild" suggests actors are actively leveraging this—likely chaining it with credential theft or simply capitalizing on already exposed admin panels.
If you are managing EPMM instances, patching should be treated as critical. Until you can update to the fixed versions, I recommend monitoring for suspicious process executions spawned by the management service.
Here is a basic KQL query to start hunting for anomalies in your process logs related to the EPMM java service:
DeviceProcessEvents
| where InitiatingProcessFileName has "java"
| where InitiatingProcessCommandLine contains "EPMM"
| where FileName !in~ ("cmd.exe", "powershell.exe", "explorer.exe")
| project Timestamp, DeviceName, FileName, InitiatingProcessCommandLine
Has anyone seen IOCs related to the in-the-wild exploitation yet? I'm curious if this is being used for persistence or initial access.
We saw a similar pattern with the Ivanti Pulse Secure issues a while back. The 'authenticated admin' requirement is a bit of a red herring; if they have phished an admin or found a creds leak, this RCE gives them total control over the mobile fleet.
I'd suggest checking your VPN logs for any anomalous admin logins immediately preceding the exploitation window. It's usually the first step in the kill chain.
Patching EPMM is always a nightmare because of the downtime involved. For MSPs managing multi-tenant environments, this is rough.
If you can't patch immediately, consider restricting access to the management console (/mics) to specific source IPs via your firewall or WAF. It won't stop internal threats, but it reduces the attack surface significantly.
From a pentester perspective, getting RCE as an authenticated user on an EMM is essentially 'Game Over.' You can push malicious profiles to devices, intercept corporate traffic, and wipe devices en masse.
If you're testing this, look at the API endpoints handling device uploads or profile configurations—that's usually where input validation flaws like this hide.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access