Ivanti Endpoint Manager Mobile (EPMM)
Ivanti on-premises MDM platform; CVE-2026-6973 is its fourth KEV zero-day since 2023.
Last refreshed: 8 May 2026 · Appears in 1 active topic
With four KEV zero-days in three years, is Ivanti EPMM still fit for government MDM?
Timeline for Ivanti Endpoint Manager Mobile (EPMM)
Found vulnerable to authenticated admin RCE, fourth such flaw to reach KEV since 2023
Cybersecurity: Threats and Defences: Ivanti EPMM logs fourth KEV zero-day since 2023- Is Ivanti EPMM still being hacked in 2026?
- Yes. CVE-2026-6973, an authenticated RCE in Ivanti EPMM, was added to CISA's KEV on 7 May 2026 with a 10 May deadline — the fourth Ivanti MDM zero-day to reach KEV since 2023.Source: CISA
- Why does Ivanti EPMM keep having zero-days?
- Four KEV zero-days in three years suggests sustained adversary interest in MDM servers, which control thousands of mobile devices. Ivanti has not provided a comprehensive public explanation for the recurring vulnerability pattern.
- How is CVE-2026-6973 different from earlier Ivanti EPMM vulnerabilities?
- CVE-2026-6973 (CVSS 7.2) requires a remotely authenticated administrator session, whereas some prior Ivanti EPMM CVEs allowed unauthenticated exploitation. Ivanti noted reduced risk for customers who rotated credentials after January 2026 zero-days.Source: Ivanti / CISA
Background
Ivanti Endpoint Manager Mobile (EPMM) is an on-premises Mobile Device Management (MDM) platform used by government agencies and large enterprises to manage employee mobile devices, enforce security policies, and control access to corporate resources. On 7 May 2026, CISA added CVE-2026-6973 — an authenticated Remote Code Execution vulnerability (CVSS 7.2) — to the Known Exploited Vulnerabilities catalogue with a 10 May federal deadline. This is the fourth Ivanti MDM zero-day to reach KEV since 2023, establishing EPMM as one of the most persistently exploited enterprise software products in the US federal CVE ecosystem.
The series began in 2023 when the Norwegian Security and Service Organisation (NSSO) was compromised via CVE-2023-35078, the first EPMM zero-day. Subsequent vulnerabilities have been exploited in rapid succession, indicating sustained adversary interest in MDM platforms as a strategic attack surface: compromising an MDM server can yield device management control over potentially thousands of enrolled endpoints. Ivanti has noted that customers who rotated credentials after January 2026 zero-days face reduced risk from CVE-2026-6973, suggesting the vulnerability requires access to credentials that may have been harvested in prior intrusions.
The repeated pattern of Ivanti EPMM zero-days raises structural questions about the product's security posture. CVE-2026-6973's CVSS of 7.2 (lower than some prior Ivanti CVEs) reflects that remote authentication is required — but in environments where prior compromises may have yielded valid admin credentials, that distinction matters less than it appears.