Ivanti EPMM Has a Third Zero-Day This Year — and CISA Just Gave Federal Agencies Three Days to Patch
Ivanti disclosed CVE-2026-6973 on May 7 — a CVSS 7.2 EPMM flaw under active exploitation. CISA gave federal agencies just three days to patch (May 10 deadline). It's the third EPMM zero-day of 2026, and Ivanti hints attackers are using credentials stolen during January's campaign.
On May 7, 2026, Ivanti published a security advisory disclosing CVE-2026-6973, a high-severity improper input validation vulnerability in Endpoint Manager Mobile (EPMM) that allows a remotely authenticated user with administrative access to achieve remote code execution. The CVSS 3.1 score is 7.2. The flaw affects all on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1, and Ivanti confirmed it is being exploited in the wild against "a very limited number of customers." Ivanti Neurons for MDM (the cloud version), Ivanti EPM (a separately named product), and Ivanti Sentry are not affected. CISA added the CVE to its Known Exploited Vulnerabilities catalog on the same day, requiring federal civilian executive branch agencies to apply patches by May 10, 2026 — a three-day window.
The single most consequential element is buried in Ivanti's own advisory: customers who followed the company's January 2026 recommendation to rotate credentials after the CVE-2026-1281 and CVE-2026-1340 exploitation campaign have "significantly reduced" risk of CVE-2026-6973 exploitation. The plain-language reading is that this new flaw is being exploited via credentials harvested during the January campaign. Organizations that patched January's bugs but skipped the credential rotation are now in elevated-risk posture for the May exploitation. This is also the third EPMM zero-day exploitation event in 2026, following CVE-2026-1281/1340 in January and the May 2025 chain (CVE-2025-4427/4428) that EclecticIQ attributed with high confidence to a China-nexus espionage group. The pattern of monthly-cadence EPMM zero-days targeting an enterprise mobile-fleet management product is now the load-bearing fact for defenders.
| CVE-2026-6973 Vulnerability Profile | |
|---|---|
| Detail | Information |
| CVE | CVE-2026-6973 |
| CVSS 3.1 score | 7.2 (High); vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Vulnerability class | Improper input validation (CWE-20) |
| Impact | Remotely authenticated user with administrative access can achieve remote code execution on the EPMM appliance |
| Affected versions | EPMM 12.8.0.0 and earlier; patched in 12.6.1.1, 12.7.0.1, and 12.8.0.1 |
| NOT affected | Ivanti Neurons for MDM (cloud UEM), Ivanti EPM (separately named product), Ivanti Sentry, or any other Ivanti products |
| Exploitation status | Active exploitation confirmed by Ivanti; "very limited number of customers" exploited; threat actor not publicly attributed |
| Disclosure | May 7, 2026 (Ivanti advisory); CISA KEV added same day |
| FCEB deadline | May 10, 2026 (three-day window) |
| Bundled CVEs (same advisory) | CVE-2026-5786 (CVSS 8.8, improper access control); CVE-2026-5787 (CVSS 8.9, certificate validation, Sentry impersonation); CVE-2026-5788 (CVSS 7.0, access control, arbitrary method invocation); CVE-2026-7821 (CVSS 7.4, certificate validation, rogue device enrollment) |
| Internet exposure | Approximately 850 EPMM IP addresses online per Shadowserver; 508 in Europe, 182 in North America |
| Critical risk-reduction note | Customers who rotated credentials per Ivanti's January 2026 advisory have "significantly reduced" risk of CVE-2026-6973 exploitation, suggesting the new flaw is exploited via credentials harvested during the January CVE-2026-1281/1340 campaign |
Why the Three-Day Federal Deadline Matters
CISA's standard remediation timeline under Binding Operational Directive 22-01 is two weeks for KEV-listed vulnerabilities. Three days is the agency's tightest typical window and signals that CISA has independently assessed CVE-2026-6973 as both actively exploited and high-impact enough to require emergency-pace response. The same three-day window was applied in January 2026 to CVE-2026-1281 (added to KEV January 29, deadline February 1) — the prior EPMM campaign. The pattern is now: when an EPMM zero-day appears, CISA treats it as emergency-tier from the moment it lists.
The defender implication is operational. Federal civilian agencies must remediate by Sunday, May 10. Private organizations that follow KEV as a de facto industry standard should treat the same deadline as binding. By May 11, expect public proof-of-concept code (the January EPMM bugs had PoCs on GitHub within 24 hours of disclosure). By May 13, expect mass scanning. By May 15, expect opportunistic exploitation against any unpatched internet-exposed EPMM instances. The window to apply patches calmly closes inside 72 hours; after that, it becomes a race against scanners. CyberSignal's vulnerability coverage tracks the full PoC-and-cascade pattern across recent edge-device zero-days.
The January-to-May Credential Bridge
Ivanti's advisory contains a sentence that defenders should read twice: "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced." The plain-language implication is that CVE-2026-6973 — which requires admin authentication — is being exploited using admin credentials harvested during the January campaign. The January CVEs (both CVSS 9.8) allowed unauthenticated remote code execution; once attackers had root on an EPMM appliance, they had access to the mifs MySQL database, which holds IMEI numbers, phone numbers, location data, SIM details, LDAP user records, and Office 365 refresh and access tokens for managed devices. They also had access to local admin password hashes.
What's happening in May, then, is a planned second stage. Attackers exploited January's bugs to harvest credentials. Organizations patched the January bugs but, in many cases, did not rotate the harvested admin credentials. Now those same credentials are being used against the new CVE-2026-6973 flaw, which requires admin auth but otherwise gives the same level of code execution. The lesson is that patching alone is not sufficient remediation for a credential-theft-capable vulnerability. If your organization patched January's EPMM CVEs but did not rotate every admin credential that touched the appliance — and ideally every credential whose hash was readable from the appliance — you are in the population of customers Ivanti is implicitly warning about.
The Other Four CVEs in the Same Advisory
While CVE-2026-6973 is the one being exploited, Ivanti's May advisory also patches four other EPMM vulnerabilities that defenders should not ignore. CVE-2026-5786 (CVSS 8.8) is an improper access control flaw allowing a remotely authenticated attacker to gain administrative access — meaningful because it converts a non-admin authenticated foothold into admin. CVE-2026-5787 (CVSS 8.9) is the most severe of the bundle: an improper certificate validation flaw allowing an unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates. CVE-2026-5788 (CVSS 7.0) is an unauthenticated improper access control issue allowing arbitrary method invocation. CVE-2026-7821 (CVSS 7.4) is another certificate-validation flaw enabling rogue-device enrollment by an unauthenticated attacker — though Ivanti notes it only affects users who have configured Apple Device Enrollment.
None of these four are confirmed exploited as of disclosure, but the bundle-pricing of the patch matters. Applying the May 13 patch addresses all five flaws in a single update. Skipping the upgrade because "only 6973 is being exploited" leaves four other paths open, including the unauthenticated 8.9-rated certificate impersonation. Treat the May advisory as a single transaction.
The 2026 EPMM Exploitation Pattern
This is the third EPMM zero-day exploitation cluster in five months. January's CVE-2026-1281/1340 campaign (both CVSS 9.8) was opportunistically exploited by multiple actors after PoC publication, with the dominant exploitation source — per GreyNoise analysis — being a single bulletproof-hosted IP on Russian autonomous system AS200593 (PROSPERO OOO) accounting for 83 percent of observed activity. Palo Alto Unit 42 documented post-exploitation tradecraft including web shells, reverse shells, cryptominers, and Nezha monitoring agent (an open-source server monitoring utility) deployed for persistence. Confirmed January victims included the Dutch Data Protection Authority (AP) and Council for the Judiciary (RVDR). May 2025's CVE-2025-4427/4428 chain was attributed by EclecticIQ with high confidence to a China-nexus espionage actor.
The cumulative tally is meaningful. CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild across the company's products, 12 of which were also abused in ransomware operations. Ivanti EPMM specifically has been targeted by zero-days in 2023 (CVE-2023-35078, CVE-2023-35082), 2025 (CVE-2025-4427, CVE-2025-4428), and now twice in 2026 (CVE-2026-1281/1340 in January and CVE-2026-6973 in May). The strategic implication is that EPMM is a high-value, recurring target for state-sponsored and opportunistic actors alike — the product sits at the intersection of mobile-fleet identity, LDAP credentials, and Office 365 token storage, which makes it a leverage point for lateral movement into enterprise environments. Organizations running on-premises EPMM should plan their 2026 patching cadence assuming additional zero-days will land before year-end.
Defender Actions for the Next 72 Hours
- Today, in priority order: (1) upgrade EPMM to 12.6.1.1, 12.7.0.1, or 12.8.0.1 matching your release branch; (2) verify the upgrade by checking the version reported in the EPMM admin console; (3) confirm all four bundled CVEs (5786, 5787, 5788, 7821) are also covered by the same update. FCEB agencies must complete this by May 10. Private organizations should treat the deadline as binding.
- Rotate every EPMM admin credential and every credential that touched the appliance. Ivanti's advisory implies CVE-2026-6973 is being exploited via credentials harvested during January's campaign. If you patched January's CVEs but did not rotate credentials, do that now — including local admin accounts, LDAP-bound service accounts, and any account that has been used to administer EPMM in 2026.
- Hunt for prior compromise going back to January 29, 2026. Specific signals: the Apache access log pattern Ivanti published for the January CVEs; presence of the Nezha monitoring agent on the appliance; reverse shells over port 443; web shells in the EPMM web application server's writable directories; unexpected admin account activity; configuration changes outside change windows; mysqldump executions against the mifs database. Files at /mifs/403.jsp are a high-fidelity indicator from Defused Cyber's January reporting. In-memory Java class loaders may not survive a process restart — consider restarting EPMM application servers as part of remediation.
- Audit the mifs MySQL database for signs of credential-and-token exfiltration. The database holds IMEI numbers, phone numbers, location data, SIM details, LDAP users, and Office 365 refresh and access tokens for managed devices. If signs of compromise are found, all EPMM-managed device tokens and LDAP-bound credentials should be rotated. Compromise of EPMM is compromise of mobile-fleet identity; treat it accordingly.
- Restrict EPMM management interface access to trusted internal networks. EPMM is a high-value, repeatedly-targeted product with documented exploitation patterns spanning 2023, 2025, and 2026. It should not be reachable from the public internet under any circumstances. Per Shadowserver, approximately 850 EPMM IP addresses are currently online — most in Europe (508) and North America (182). If your appliance is in that count, the configuration is the immediate problem.
The CyberSignal Analysis
Signal 01 — January-to-May credential bridge is the operational story
The most actionable insight from Ivanti's advisory is the credential-bridge framing. Attackers exploited January's CVEs to harvest credentials; they are now using those credentials against May's CVE. Two implications follow. First, organizations that treated patching as the end of January's incident response — without rotating every credential that touched the appliance — are now in the elevated-risk population. Second, this is a generalizable pattern for any vulnerability class that allows root or admin code execution. Patching closes the entry door; it does not invalidate keys the attacker already copied. For CISOs, the operational rule is: any zero-day that enabled credential or token exfiltration requires both patching and credential rotation, with the rotation including LDAP service accounts, OAuth tokens, and any cached credentials on the affected system. The Ivanti pattern makes the case empirically; expect to see similar three-to-six-month "second stage" campaigns following other recent edge-device exploitation events.
Signal 02 — Three-day KEV deadlines are now the EPMM normal
CISA applied a three-day deadline to CVE-2026-1281 in January and a three-day deadline to CVE-2026-6973 in May. The agency has effectively communicated that EPMM exploitation events are emergency-tier by default. This compresses the operational tempo defenders need to maintain: change-control approval, patch validation, deployment, and post-deployment compromise hunting all need to fit into 72 hours. Organizations whose change-management processes cannot accommodate emergency Sunday-deadline patches on internet-exposed appliances have a process problem that needs to be addressed before the next zero-day, not during it. The question for CISOs to push to the board is whether the process can support the cadence the threat environment actually demands.
Signal 03 — On-premises EPMM is now a strategic risk decision, not just a technical one
Three EPMM zero-day exploitation events in five months — and seven across 2023 to 2026 — establish a pattern that organizations should factor into their roadmap planning. The underlying codebase clearly has systemic exploitation surface that researchers and adversaries continue to find and weaponize. Ivanti Neurons for MDM, the cloud-based UEM, has not been affected by these zero-days. For organizations whose EPMM deployment is reaching end-of-life or coming up for renewal, the strategic question is whether continued on-premises operation is the right posture given the recurring zero-day cadence. Migration to cloud-managed UEM eliminates the appliance-as-a-target attack surface entirely and shifts the patching responsibility to the vendor's cloud-operations team. The migration cost is real, but so is the cost of the third zero-day in five months — measured in incident response, credential rotations, audit work, and the ongoing risk that the next zero-day arrives before the next patch window.
