20MAY

Ivanti EPMM logs fourth KEV zero-day since 2023

3 min read

09:58UTC

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile to KEV on 7 May, the fourth zero-day in the same on-premises MDM product to reach the federal catalogue since 2023. Ivanti confirms limited exploitation; on-premises deployments are affected, Ivanti Neurons cloud is not.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Four Ivanti MDM zero-days in three years: state actors have made the mobile-device-management plane a sustained primary target.

CISA added CVE-2026-6973 in Ivanti Endpoint Manager Mobile (EPMM), Ivanti's on-premises mobile device manager, to the Known Exploited Vulnerabilities (KEV) catalogue on 7 May with a 10 May federal deadline.¹ The CVSS score is 7.2. The vulnerability allows a remotely authenticated administrator to achieve remote code execution; Ivanti confirms limited exploitation in the wild and notes that customers who rotated credentials after the January 2026 zero-days on the same product carry reduced risk.² The on-premises deployment is affected; Ivanti Neurons for MDM in the cloud is not.

MDM (Mobile Device Management) servers occupy a privileged position in enterprise networks: they govern every staff phone and laptop in a managed estate. An attacker with administrative access to the MDM server controls every device it manages, with no further exploitation required. The Norwegian Security and Service Organisation and US government agencies were victims of the prior three Ivanti EPMM zero-days. Reaching the fourth in three years with the same product confirms sustained attention from state-aligned actors on the on-premises MDM plane specifically.

The comparison with the Stryker incident clarifies the symmetry. Stryker showed how a single stolen Microsoft Intune credential could trigger a device wipe across 200,000 endpoints in 79 countries and produce a US Securities and Exchange Commission (SEC) 8-K/A materiality filing. CVE-2026-6973 extends the pressure to the on-premises side in the same quarter: cloud MDM under criminal credential abuse, on-premises MDM under state-actor software exploitation, simultaneously. For UK and EU public-sector estates running on-premises Ivanti EPMM (including NHS trusts), credential rotation after each new zero-day is now a permanent operational cadence, not a one-off remediation task.

Deep Analysis

In plain English

Ivanti makes software that large organisations use to manage thousands of smartphones, tablets, and laptops. With this software, IT departments can remotely lock a stolen phone, push a security update to every device at once, or wipe a device if it is lost. That level of control makes the software itself a high-value target. This is the fourth serious security flaw in the same Ivanti product since 2023 to be listed on the US government's priority patch list. Each time a flaw appears, organisations that have not patched can have their management software taken over, which gives attackers control over every device that software manages. The NHS in the UK uses this product across multiple hospitals. So does the Norwegian government, which was attacked through an earlier version of the same flaw.

Deep Analysis

Root Causes

Ivanti EPMM's on-premises deployment model requires a single server to handle device enrolment, policy distribution, and remote wipe commands with administrator-level authority. That single-server architecture means the management plane's authentication layer is both the attack surface and the defence. A remotely-authenticated administrator RCE (CVSS 7.2) means an attacker who has obtained any valid admin credential can achieve code execution on the server controlling all managed devices.

The 'limited exploitation' caveat from Ivanti reflects the higher bar for this CVE versus prior ones: CVE-2026-6973 requires a valid admin credential, whereas earlier Ivanti EPMM zero-days allowed unauthenticated access. This means the credential-rotation guidance Ivanti issued after January 2026 zero-days does provide some protection, but organisations that did not rotate credentials remain fully exposed.

The Norwegian Security and Service Organisation's prior victimisation by an earlier Ivanti EPMM zero-day is publicly documented, which means state actors have confirmed the management plane provides access to government device fleets with high value.

What could happen next?

Risk
Organisations running on-premises Ivanti EPMM without credential rotation after January 2026 are fully exposed to CVE-2026-6973 and should treat their device fleet as potentially under attacker policy control until the patch is applied and credentials rotated.
Immediate · 0.9
Consequence
Four Ivanti EPMM zero-days in three years will accelerate public-sector migration planning towards cloud-MDM alternatives, with NHS Digital and Nordic government bodies likely to produce business cases for migration in the next procurement cycle.
Medium term · 0.7
Risk
State-aligned actors have confirmed MDM servers as a primary target. Organisations that manage sensitive devices (law enforcement, intelligence, healthcare) and run on-premises MDM now face sustained threat-actor interest regardless of which vendor they use.
Long term · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: Between 2014 and 2017, Oracle's Secure Global Desktop and Sun Ray Server had a sequence of five CVEs reaching CVSS 9.0+ in 30 months, all in the same authentication handling layer.

SANS ISC at the time documented what it called the 'serial flaw' pattern: when a component's authentication logic is structurally wrong, each patch fixes the specific reported variant while leaving the underlying design intact for discovery and re-exploitation. Ivanti EPMM's fourth KEV zero-day in three years fits the serial-flaw pattern.

Counter-parallel: Citrix NetScaler, which accumulated four major authentication-bypass CVEs between 2019 and 2023, subsequently underwent an architecture review that shifted session handling to a new authentication microservice. The CVE cadence dropped to zero in the following 18 months. The counter-case suggests architectural review can break the serial-flaw cycle, but Ivanti has not publicly announced an equivalent programme for EPMM.

Ivanti EPMM's on-premises customer base includes NHS trusts, EU government departments, and Nordic public-sector bodies. Each manages thousands to tens of thousands of endpoints. The remediation cycle for a zero-day on the management server includes emergency patching, credential rotation, and retrospective device audit to confirm no malicious policy was pushed during the exploitation window.

For NHS Digital, which has documented EPMM deployments across multiple trusts, the per-trust remediation cost at four zero-days over three years has begun to appear in board-level risk registers as a recurring operational cost rather than a one-time incident. The migration economics towards Microsoft Intune are now being explicitly modelled, with the two-year TCO comparison looking increasingly favourable to a cloud-MDM migration despite the disruption cost.

Consensus view: Lawfare's Herb Lin and the ENISA Threat Intelligence Report 2025 both identify the Mobile Device Management plane as a primary state-aligned target because MDM servers hold the credentials and policies that govern every managed device in an enterprise: compromising the management server gives an attacker simultaneous reach to every device it manages.

Counter-view: Seoul National University's Center for International Security and Strategy argues that Ivanti's repeated KEV appearances reflect a procurement lock-in dynamic peculiar to the MDM market: South Korean and Norwegian government bodies standardised on Ivanti EPMM in the 2018-2022 period, when the market had fewer credible alternatives, and migration costs now exceed the perceived risk of continued use. The attack pattern targets organisations that cannot quickly switch vendors.

Key tension: Whether Ivanti's on-premises EPMM product has a fundamental architectural vulnerability in how it handles administrator authentication, requiring a rewrite rather than sequential patching, or whether each new CVE reflects discrete coding errors that good engineering practice can eventually eliminate.

First Reported In

Update #3 · CISA's deadline outruns Palo Alto's patch

CISA· 8 May 2026

Read original →

Causes and effects

This Event

Ivanti EPMM logs fourth KEV zero-day since 2023

Four zero-days in the same MDM product in three years places mobile device management alongside network perimeter devices as a primary state-sponsored intrusion target in 2026.

Led to

Handala wipes 200,000 devices at Stryker

Ivanti EPMM CVE-2026-6973 compounds MDM plane pressure established when the Stryker Intune wipe showed a single credential could destroy 200,000 managed devices.

Occurred 11 Mar 2026

Read story →

Stryker SEC filing marks cyber milestone

The fourth Ivanti MDM zero-day extends the materiality framework established by the Stryker SEC 8-K/A filing, putting UK and EU public-sector EPMM operators under the same risk lens.

Occurred 10 Apr 2026

Read story →

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.