Ivanti EPMM Authenticated Admin RCE Exploited as Zero-Day (CISA KEV)

VULNERABILITY OVERVIEW

An improper input validation vulnerability in Ivanti EPMM allows a remotely authenticated attacker with administrative privileges to execute arbitrary code on the underlying appliance. Ivanti and the Belgian Centre for Cyber Security confirmed active zero-day exploitation against a limited number of customers; threat actors are assessed to be chaining this with stolen admin credentials harvested from the January 2026 EPMM zero-days (CVE-2026-1281/1340, CVSS 9.8). This is the third confirmed EPMM zero-day exploitation event in 2026; prior campaigns have been linked to China and Iran-nexus actors. Over 800 internet-exposed EPMM instances tracked by Shadowserver. CISA added to KEV May 7, 2026, with a 3-day federal remediation window.

CVSS BREAKDOWN

CITATIONS

• → Ivanti Security Advisory: https://hub.ivanti.com/s/article/May-2026-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-Multiple-CVEs
• → CISA KEV / Alert: https://www.cisa.gov/news-events/alerts/2026/05/07/cisa-adds-one-known-exploited-vulnerability-catalog
• → Security Boulevard: https://securityboulevard.com/2026/05/ivanti-warns-of-new-epmm-flaw-exploited-in-zero-day-attacks/
• → The Hacker News: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html
• → NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6973