DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ADVISORIES/CVE-2026-6973 / Ivanti May-2026-EPMM Advisory
TLP:WHITE
Disclosure not limited. This advisory may be distributed publicly through any channel.
OFFICIAL ADVISORY // CVE-2026-6973 / Ivanti May-2026-EPMM Advisory // PUBLISHED 2026-05-07
CISA KEV / Ivanti PSIRTCVE-2026-6973CVE-2026-5786CVE-2026-5787CVE-2026-5788CVE-2026-7821

Ivanti EPMM Zero-Day Authenticated RCE — Actively Exploited, CISA KEV (CVE-2026-6973)

ADVISORY SUMMARY

A high-severity improper input validation zero-day in Ivanti Endpoint Manager Mobile (EPMM) on-premises allows a remotely authenticated user with administrative access to achieve remote code execution on the EPMM appliance. Attackers have chained this with credentials stolen via January 2026 EPMM zero-days (CVE-2026-1281, CVE-2026-1340) to establish a multi-stage attack chain — initial unauthenticated compromise followed by credential reuse for RCE. CISA added CVE-2026-6973 to KEV on May 7 with a 3-day federal remediation deadline of May 10, 2026. Shadowserver tracked over 800 internet-exposed EPMM instances at time of disclosure.

AFFECTED SYSTEMS

AFFECTED SYSTEM
SEVERITY
EXPLOIT
PATCH
Ivanti EPMM (on-premises) versions 12.8.0.0 and prior
HIGH
LIMITED
PATCHED
Vulnerable branches: 12.6.x (before 12.6.1.1), 12.7.x (before 12.7.0.1), 12.8.x (before 12.8.0.1)
HIGH
LIMITED
PATCHED

MITIGATION GUIDANCE

1) Upgrade EPMM immediately to version 12.6.1.1, 12.7.0.1, or 12.8.0.1. 2) Rotate ALL EPMM administrative credentials — especially critical if your environment was impacted by the January 2026 CVE-2026-1281/CVE-2026-1340 zero-days. 3) Review all accounts with administrative rights for unexpected additions or privilege changes. 4) Invalidate active sessions and review authentication logs for unusual admin login patterns. 5) Review Ivanti Sentry appliance security in parallel due to its dependency on EPMM configuration. Ivanti Neurons for MDM (cloud), Ivanti EPM, and Ivanti Sentry are NOT affected by CVE-2026-6973.

DETECTION SIGNATURES

No reliable atomic IOCs for CVE-2026-6973 have been published. Monitor EPMM for: unexpected EPMM configuration changes; newly created or modified admin accounts; unusual device management actions (mass policy pushes, remote wipes); anomalous entries in /var/log/httpd/https-access_log. Treat any anomalies during the unpatched window as requiring forensic review. Prior EPMM zero-days have been exploited by China- and Iran-linked threat actors — apply threat-model-appropriate logging and monitoring.

REFERENCES

  • https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • https://nvd.nist.gov/vuln/detail/CVE-2026-6973
  • https://www.helpnetsecurity.com/2026/05/08/ivanti-epmm-zero-day-cve-2026-6973/
SHARE BRIEF:✕ Post on Xin Share on LinkedIn