Overview
- Ivanti, which makes the on‑prem Endpoint Manager Mobile server used to manage phones and tablets, disclosed Thursday a remote code execution bug (CVE-2026-6973) that attackers have used in limited cases.
- CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog and told federal civilian agencies to install the fixes by May 10.
- The flaw lets a remote user with admin rights run code, so Ivanti urged customers to review admin accounts and rotate credentials, noting those who rotated after January’s EPMM hacks face lower risk.
- Patches are available in EPMM versions 12.6.1.1, 12.7.0.1, and 12.8.0.1, and Ivanti also fixed four other high‑severity bugs that could grant admin access, forge client certificates, invoke methods, or leak device details, with no signs of exploitation.
- Researchers still see about 850 EPMM systems reachable on the internet, and the product remains a frequent target with 34 Ivanti flaws on CISA’s KEV list and no confirmed attribution for the latest activity.