Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

Ivanti EPMM logs fourth KEV zero-day since 2023

3 min read
10:57UTC

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile to KEV on 7 May, the fourth zero-day in the same on-premises MDM product to reach the federal catalogue since 2023. Ivanti confirms limited exploitation; on-premises deployments are affected, Ivanti Neurons cloud is not.

TechnologyDeveloping
Key takeaway

Four Ivanti MDM zero-days in three years: state actors have made the mobile-device-management plane a sustained primary target.

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM), Ivanti's on-premises mobile device manager, to the Known Exploited Vulnerabilities (KEV) catalogue on 7 May with a 10 May federal deadline.1 The CVSS score is 7.2. The vulnerability allows a remotely authenticated administrator to achieve remote code execution; Ivanti confirms limited exploitation in the wild and notes that customers who rotated credentials after the January 2026 zero-days on the same product carry reduced risk.2 The on-premises deployment is affected; Ivanti Neurons for MDM in the cloud is not.

MDM (Mobile Device Management) servers occupy a privileged position in enterprise networks: they govern every staff phone and laptop in a managed estate. An attacker with administrative access to the MDM server controls every device it manages, with no further exploitation required. The Norwegian Security and Service Organisation and US government agencies were victims of the prior three Ivanti EPMM zero-days. Reaching the fourth in three years with the same product confirms sustained attention from state-aligned actors on the on-premises MDM plane specifically.

The comparison with the Stryker incident clarifies the symmetry. Stryker showed how a single stolen Microsoft Intune credential could trigger a device wipe across 200,000 endpoints in 79 countries and produce a US Securities and Exchange Commission (SEC) 8-K/A materiality filing. CVE-2026-6973 extends the pressure to the on-premises side in the same quarter: cloud MDM under criminal credential abuse, on-premises MDM under state-actor software exploitation, simultaneously. For UK and EU public-sector estates running on-premises Ivanti EPMM (including NHS trusts), credential rotation after each new zero-day is now a permanent operational cadence, not a one-off remediation task.

Deep Analysis

In plain English

Ivanti makes software that large organisations use to manage thousands of smartphones, tablets, and laptops. With this software, IT departments can remotely lock a stolen phone, push a security update to every device at once, or wipe a device if it is lost. That level of control makes the software itself a high-value target. This is the fourth serious security flaw in the same Ivanti product since 2023 to be listed on the US government's priority patch list. Each time a flaw appears, organisations that have not patched can have their management software taken over, which gives attackers control over every device that software manages. The NHS in the UK uses this product across multiple hospitals. So does the Norwegian government, which was attacked through an earlier version of the same flaw.

Deep Analysis
Root Causes

Ivanti EPMM's on-premises deployment model requires a single server to handle device enrolment, policy distribution, and remote wipe commands with administrator-level authority. That single-server architecture means the management plane's authentication layer is both the attack surface and the defence. A remotely-authenticated administrator RCE (CVSS 7.2) means an attacker who has obtained any valid admin credential can achieve code execution on the server controlling all managed devices.

The 'limited exploitation' caveat from Ivanti reflects the higher bar for this CVE versus prior ones: CVE-2026-6973 requires a valid admin credential, whereas earlier Ivanti EPMM zero-days allowed unauthenticated access. This means the credential-rotation guidance Ivanti issued after January 2026 zero-days does provide some protection, but organisations that did not rotate credentials remain fully exposed.

The Norwegian Security and Service Organisation's prior victimisation by an earlier Ivanti EPMM zero-day is publicly documented, which means state actors have confirmed the management plane provides access to government device fleets with high value.

What could happen next?
  • Risk

    Organisations running on-premises Ivanti EPMM without credential rotation after January 2026 are fully exposed to CVE-2026-6973 and should treat their device fleet as potentially under attacker policy control until the patch is applied and credentials rotated.

    Immediate · 0.9
  • Consequence

    Four Ivanti EPMM zero-days in three years will accelerate public-sector migration planning towards cloud-MDM alternatives, with NHS Digital and Nordic government bodies likely to produce business cases for migration in the next procurement cycle.

    Medium term · 0.7
  • Risk

    State-aligned actors have confirmed MDM servers as a primary target. Organisations that manage sensitive devices (law enforcement, intelligence, healthcare) and run on-premises MDM now face sustained threat-actor interest regardless of which vendor they use.

    Long term · 0.85
First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.