DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/ADVISORIES/CVE-2026-6973
TLP:WHITE
Disclosure not limited. This advisory may be distributed publicly through any channel.
OFFICIAL ADVISORY // CVE-2026-6973 // PUBLISHED 2026-05-07
CISA KEV / Ivanti PSIRTCVE-2026-6973CVE-2026-5786CVE-2026-5787CVE-2026-5788CVE-2026-7821

Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation — Authenticated Admin RCE Zero-Day, Actively Exploited, CISA KEV

ADVISORY SUMMARY

CVE-2026-6973 is a high-severity (CVSS 7.2) improper input validation vulnerability in on-premises Ivanti EPMM (versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1) that allows a remotely authenticated user with administrative access to achieve remote code execution on the underlying appliance OS. Ivanti and the Belgian Centre for Cyber Security confirmed exploitation against a limited number of customers at the time of disclosure, making it a zero-day. Threat actors are chaining this flaw with stolen admin credentials harvested from January 2026 EPMM vulnerabilities (CVE-2026-1281/CVE-2026-1340). CISA added it to the KEV catalog with a May 10 federal remediation deadline; over 800 EPMM instances remain internet-exposed.

AFFECTED SYSTEMS

AFFECTED SYSTEM
SEVERITY
EXPLOIT
PATCH
Ivanti EPMM (on-premises) versions prior to 12.6.1.1
HIGH
LIMITED
PATCHED
Ivanti EPMM (on-premises) versions prior to 12.7.0.1
HIGH
LIMITED
PATCHED
Ivanti EPMM (on-premises) versions prior to 12.8.0.1
HIGH
LIMITED
PATCHED

MITIGATION GUIDANCE

Upgrade EPMM immediately to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 (these releases also include fixes for January 2026 CVEs). Rotate ALL EPMM administrative credentials, especially if credentials were not rotated after the January 2026 advisories for CVE-2026-1281 and CVE-2026-1340. Restrict EPMM admin interface access to trusted management networks using network segmentation and firewall rules. Review Ivanti Sentry security posture in parallel due to its dependency on EPMM configuration. Ivanti Neurons for MDM (cloud), Ivanti EPM, and Ivanti Sentry are NOT affected.

DETECTION SIGNATURES

Review EPMM application and system logs for unauthorized administrative activity: grep 'admin' /var/log/ivanti/epmm/access.log | grep -E 'POST|GET'. Audit recent changes to device policies, enrollment settings, administrative role assignments, and SSO/LDAP integration configuration. Monitor for unexpected outbound connections from the EPMM appliance. Check for newly enrolled devices belonging to restricted sets. No reliable atomic IOCs have been publicly disclosed; behavioral monitoring is the primary detection approach. Confirm EPMM version via HTTP banner: curl -k -I https://[target]:8443 | grep -i 'server'.

REFERENCES

  • https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs
  • https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • https://nvd.nist.gov/vuln/detail/CVE-2026-6973
SHARE BRIEF:✕ Post on Xin Share on LinkedIn