Critical Endpoint Management Security Advisory: Ivanti EPMM Vulnerabilities Under Active Exploitation Could Enable Remote Code Execution and Administrative Compromise

Newly Patched Ivanti Endpoint Manager Mobile Vulnerabilities May Allow Attackers to Gain Administrative Access, Execute Arbitrary Code, and Compromise Enterprise Device Management Infrastructure

EXECUTIVE OVERVIEW

A newly disclosed vulnerability affecting Ivanti Endpoint Manager Mobile is currently under active exploitation in limited real-world attacks.

The primary vulnerability, CVE-2026-6973, is a high-severity improper input validation flaw that may allow authenticated administrators to achieve remote code execution (RCE) on vulnerable Ivanti Endpoint Manager Mobile (EPMM) systems.

In addition, multiple other vulnerabilities affecting access control, certificate validation, and device enrollment mechanisms were patched alongside the actively exploited flaw. Because EPMM platforms often manage enterprise mobile devices, authentication workflows, and corporate access policies, successful exploitation could expose organizations to significant operational and security risks.

Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the seriousness of the threat.

PRIMARY VULNERABILITY DETAILS

CVE-2026-6973

Remote Code Execution Through Improper Input Validation

Severity: High (CVSS 7.2)
Affected Product: Ivanti Endpoint Manager Mobile (EPMM)
Vulnerability Type: Improper Input Validation

This vulnerability allows a remotely authenticated attacker with administrative access to execute arbitrary code on vulnerable EPMM systems. Consequently, attackers who gain privileged access may fully compromise endpoint management infrastructure and connected enterprise devices.

According to Ivanti, exploitation activity has already been observed in a limited number of customer environments. Although exploitation requires administrative authentication, organizations previously compromised through earlier Ivanti vulnerabilities may face elevated risk if credentials were not rotated properly.

Potential Risks

Remote code execution on EPMM infrastructure
Administrative system compromise
Unauthorized access to managed devices
Credential abuse and privilege escalation
Enterprise-wide endpoint management disruption

ADDITIONAL VULNERABILITIES PATCHED

CVE-2026-5786

Administrative Access Through Improper Access Control

Severity: Critical (CVSS 8.8)

This vulnerability may allow authenticated attackers to gain administrative access through improper access control handling. As a result, attackers could escalate privileges and compromise enterprise mobility infrastructure.

CVE-2026-5787

Certificate Validation Weakness Allowing Host Impersonation

Severity: Critical (CVSS 8.9)

An improper certificate validation flaw may allow unauthenticated attackers to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. Consequently, attackers may establish trusted communications using fraudulent identities.

CVE-2026-5788

Arbitrary Method Invocation via Improper Access Controls

Severity: High (CVSS 7.0)

This vulnerability may allow unauthenticated attackers to invoke arbitrary methods remotely. Therefore, attackers could potentially manipulate backend functions or abuse internal application workflows.

CVE-2026-7821

Unauthorized Device Enrollment and Information Disclosure

Severity: High (CVSS 7.4)

An improper certificate validation issue may allow attackers to enroll unauthorized devices and expose information about the EPMM appliance. Moreover, exploitation could affect the integrity of newly enrolled device identities.

AFFECTED VERSIONS

The vulnerabilities affect Ivanti EPMM versions prior to:

12.6.1.1
12.7.0.1
12.8.0.1

Ivanti confirmed that these issues impact only the on-premises EPMM product.

Not Affected

Ivanti Neurons for MDM
Ivanti Endpoint Manager (EPM)
Ivanti Sentry
Other Ivanti products

BUSINESS & ENTERPRISE IMPACT

Organizations relying on Ivanti EPMM for mobile device management may face significant operational and security risks if systems remain unpatched. Because endpoint management platforms control device enrollment, authentication policies, and enterprise access workflows, compromise at this level could create widespread downstream exposure.

Potential Enterprise Risks

Unauthorized administrative access
Compromise of managed mobile devices
Exposure of enterprise credentials and certificates
Device identity manipulation
Lateral movement across enterprise infrastructure

Additionally, attackers increasingly target endpoint management platforms because they often provide centralized visibility and control across large device ecosystems.

RECOMMENDED ACTIONS

Immediate Mitigation Steps

1. Patch Immediately
Upgrade all affected Ivanti EPMM deployments to the latest fixed versions without delay.

2. Rotate Administrative Credentials
Organizations previously affected by earlier Ivanti vulnerabilities should immediately rotate credentials and review privileged access accounts.

3. Review Device Enrollment Activity
Audit enrolled devices and investigate unusual enrollment behavior or unauthorized certificate issuance.

4. Restrict Administrative Access
Limit access to EPMM administrative interfaces using network segmentation, MFA, and strict access controls.

STRATEGIC SECURITY PERSPECTIVE

From a security perspective, endpoint management platforms represent high-value infrastructure targets because they centralize authority over enterprise devices, certificates, and authentication workflows. Consequently, attackers frequently exploit weaknesses in these systems to gain persistent administrative control and expand access across enterprise environments.

Moreover, vulnerabilities involving certificate validation and device enrollment highlight how identity trust mechanisms continue to be attractive targets for advanced attackers. Organizations should continuously monitor management infrastructure, enforce least-privilege access, and isolate critical management services from unnecessary exposure.

KEY TAKEAWAY

The actively exploited Ivanti EPMM vulnerability and related access control flaws demonstrate the growing risks facing enterprise endpoint management infrastructure.

Therefore, organizations should prioritize rapid patch deployment, credential rotation, certificate auditing, and strict administrative access controls to reduce the likelihood of enterprise-wide compromise.

Over 20,000 Instagram Accounts Hijacked Through Meta AI Support Flaw

Nottingham University Data Breach Exposes Records of More Than 450,000 Students

DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Infrastructure

North Korean Hackers Weaponize Developer Tools to Turn Code Workflows Into Malware Delivery Channels

Anthropic Unveils Claude Fable 5 with Built-In Cyber Safeguards as AI Security Enters a New Era

ATHR AI Vishing Platform Automates Voice Phishing at Scale

How Modern Businesses Can Measure Cyber Risk in Financial and Operational Terms Instead of Technical Guesswork

What Is Wiper Malware in Cybersecurity? Understanding One of the Most Destructive Types of Cyber Attacks

Why Delaying Software Updates Can Put Your Entire Digital Security at Risk

How Attackers Abuse Legitimate Windows Tools: Understanding LOLBins and Living-Off-the-Land Attacks

Brave Launches Paid ‘Origin’ Browser for Users Seeking a Cleaner, Privacy-First Experience

Apple Blocks $11 Billion in App Store Fraud as Mobile Threats Continue to Rise

Critical Endpoint Management Security Advisory: Ivanti EPMM Vulnerabilities Under Active Exploitation Could Enable Remote Code Execution and Administrative Compromise