8MAY

Ivanti EPMM logs fourth KEV zero-day since 2023

3 min read

10:57UTC

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile to KEV on 7 May, the fourth zero-day in the same on-premises MDM product to reach the federal catalogue since 2023. Ivanti confirms limited exploitation; on-premises deployments are affected, Ivanti Neurons cloud is not.

← Back to CISA's deadline outruns Palo Alto's patch Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Four Ivanti MDM zero-days in three years: state actors have made the mobile-device-management plane a sustained primary target.

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM), Ivanti's on-premises mobile device manager, to the Known Exploited Vulnerabilities (KEV) catalogue on 7 May with a 10 May federal deadline.¹ The CVSS score is 7.2. The vulnerability allows a remotely authenticated administrator to achieve remote code execution; Ivanti confirms limited exploitation in the wild and notes that customers who rotated credentials after the January 2026 zero-days on the same product carry reduced risk.² The on-premises deployment is affected; Ivanti Neurons for MDM in the cloud is not.

MDM (Mobile Device Management) servers occupy a privileged position in enterprise networks: they govern every staff phone and laptop in a managed estate. An attacker with administrative access to the MDM server controls every device it manages, with no further exploitation required. The Norwegian Security and Service Organisation and US government agencies were victims of the prior three Ivanti EPMM zero-days. Reaching the fourth in three years with the same product confirms sustained attention from state-aligned actors on the on-premises MDM plane specifically.

The comparison with the Stryker incident clarifies the symmetry. Stryker showed how a single stolen Microsoft Intune credential could trigger a device wipe across 200,000 endpoints in 79 countries and produce a US Securities and Exchange Commission (SEC) 8-K/A materiality filing. CVE-2026-6973 extends the pressure to the on-premises side in the same quarter: cloud MDM under criminal credential abuse, on-premises MDM under state-actor software exploitation, simultaneously. For UK and EU public-sector estates running on-premises Ivanti EPMM (including NHS trusts), credential rotation after each new zero-day is now a permanent operational cadence, not a one-off remediation task.

Deep Analysis

In plain English

Ivanti makes software that large organisations use to manage thousands of smartphones, tablets, and laptops. With this software, IT departments can remotely lock a stolen phone, push a security update to every device at once, or wipe a device if it is lost. That level of control makes the software itself a high-value target. This is the fourth serious security flaw in the same Ivanti product since 2023 to be listed on the US government's priority patch list. Each time a flaw appears, organisations that have not patched can have their management software taken over, which gives attackers control over every device that software manages. The NHS in the UK uses this product across multiple hospitals. So does the Norwegian government, which was attacked through an earlier version of the same flaw.

Deep Analysis

Root Causes

Ivanti EPMM's on-premises deployment model requires a single server to handle device enrolment, policy distribution, and remote wipe commands with administrator-level authority. That single-server architecture means the management plane's authentication layer is both the attack surface and the defence. A remotely-authenticated administrator RCE (CVSS 7.2) means an attacker who has obtained any valid admin credential can achieve code execution on the server controlling all managed devices.

The 'limited exploitation' caveat from Ivanti reflects the higher bar for this CVE versus prior ones: CVE-2026-6973 requires a valid admin credential, whereas earlier Ivanti EPMM zero-days allowed unauthenticated access. This means the credential-rotation guidance Ivanti issued after January 2026 zero-days does provide some protection, but organisations that did not rotate credentials remain fully exposed.

The Norwegian Security and Service Organisation's prior victimisation by an earlier Ivanti EPMM zero-day is publicly documented, which means state actors have confirmed the management plane provides access to government device fleets with high value.

What could happen next?

Risk
Organisations running on-premises Ivanti EPMM without credential rotation after January 2026 are fully exposed to CVE-2026-6973 and should treat their device fleet as potentially under attacker policy control until the patch is applied and credentials rotated.
Immediate · 0.9
Consequence
Four Ivanti EPMM zero-days in three years will accelerate public-sector migration planning towards cloud-MDM alternatives, with NHS Digital and Nordic government bodies likely to produce business cases for migration in the next procurement cycle.
Medium term · 0.7
Risk
State-aligned actors have confirmed MDM servers as a primary target. Organisations that manage sensitive devices (law enforcement, intelligence, healthcare) and run on-premises MDM now face sustained threat-actor interest regardless of which vendor they use.
Long term · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2014 and 2017, Oracle's Secure Global Desktop and Sun Ray Server had a sequence of five CVEs reaching CVSS 9.0+ in 30 months, all in the same authentication handling layer.

SANS ISC at the time documented what it called the 'serial flaw' pattern: when a component's authentication logic is structurally wrong, each patch fixes the specific reported variant while leaving the underlying design intact for discovery and re-exploitation. Ivanti EPMM's fourth KEV zero-day in three years fits the serial-flaw pattern.

Counter-parallel: Citrix NetScaler, which accumulated four major authentication-bypass CVEs between 2019 and 2023, subsequently underwent an architecture review that shifted session handling to a new authentication microservice. The CVE cadence dropped to zero in the following 18 months. The counter-case suggests architectural review can break the serial-flaw cycle, but Ivanti has not publicly announced an equivalent programme for EPMM.

Ivanti EPMM's on-premises customer base includes NHS trusts, EU government departments, and Nordic public-sector bodies. Each manages thousands to tens of thousands of endpoints. The remediation cycle for a zero-day on the management server includes emergency patching, credential rotation, and retrospective device audit to confirm no malicious policy was pushed during the exploitation window.

For NHS Digital, which has documented EPMM deployments across multiple trusts, the per-trust remediation cost at four zero-days over three years has begun to appear in board-level risk registers as a recurring operational cost rather than a one-time incident. The migration economics towards Microsoft Intune are now being explicitly modelled, with the two-year TCO comparison looking increasingly favourable to a cloud-MDM migration despite the disruption cost.

Consensus view: Lawfare's Herb Lin and the ENISA Threat Intelligence Report 2025 both identify the Mobile Device Management plane as a primary state-aligned target because MDM servers hold the credentials and policies that govern every managed device in an enterprise: compromising the management server gives an attacker simultaneous reach to every device it manages.

Counter-view: Seoul National University's Center for International Security and Strategy argues that Ivanti's repeated KEV appearances reflect a procurement lock-in dynamic peculiar to the MDM market: South Korean and Norwegian government bodies standardised on Ivanti EPMM in the 2018-2022 period, when the market had fewer credible alternatives, and migration costs now exceed the perceived risk of continued use. The attack pattern targets organisations that cannot quickly switch vendors.

Key tension: Whether Ivanti's on-premises EPMM product has a fundamental architectural vulnerability in how it handles administrator authentication, requiring a rewrite rather than sequential patching, or whether each new CVE reflects discrete coding errors that good engineering practice can eventually eliminate.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

Ivanti EPMM logs fourth KEV zero-day since 2023

Four zero-days in the same MDM product in three years places mobile device management alongside network perimeter devices as a primary state-sponsored intrusion target in 2026.

Led to

Handala wipes 200,000 devices at Stryker

Ivanti EPMM CVE-2026-6973 compounds MDM plane pressure established when the Stryker Intune wipe showed a single credential could destroy 200,000 managed devices.

Occurred 11 Mar 2026

Read story →

Stryker SEC filing marks cyber milestone

The fourth Ivanti MDM zero-day extends the materiality framework established by the Stryker SEC 8-K/A filing, putting UK and EU public-sector EPMM operators under the same risk lens.

Occurred 10 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.