Emerging Threats

Ivanti EPMM Flaw Exploited, Grants Admin-Level Access

Analyst 207||Source: TheHackerNews
Rows of computer servers with a focused server displaying a blank screen in a brightly-lit network operations center.

CISA has added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog and set a May 10, 2026 compliance date for Federal Civilian Executive Branch agencies, elevating an Ivanti Endpoint Manager Mobile flaw into an immediate, federally mandated remediation task.

Ivanti's advisory on CVE-2026-6973

Ivanti warned that CVE-2026-6973 is a high-severity vulnerability (CVSS score: 7.2) in Endpoint Manager Mobile (EPMM) caused by "improper input validation" and affecting EPMM installations before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. The company said the bug "allows a remotely authenticated user with administrative access to achieve remote code execution." Ivanti added that successful exploitation requires Admin authentication.

Ivanti also said it is "aware of a very limited number of customers exploited with CVE-2026-6973." The company noted that it does not currently know who is behind those exploitation efforts, whether any attacks were successful, or what the end goals of the attacks were.

Ivanti advised that organizations which followed its earlier January recommendation to rotate credentials after exposures tied to CVE-2026-1281 and CVE-2026-1340 have a materially lower risk from this new flaw: "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced."

The four additional EPMM fixes Ivanti released

  • CVE-2026-5786 (CVSS score: 8.8) — An improper access control vulnerability that allows a remote authenticated attacker to gain administrative access.
  • CVE-2026-5787 (CVSS score: 8.9) — An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
  • CVE-2026-5788 (CVSS score: 7.0) — An improper access control vulnerability that allows a remote unauthenticated attacker to invoke arbitrary methods.
  • CVE-2026-7821 (CVSS score: 7.4) — An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about the EPMM appliance and impacting the integrity of the newly enrolled device identity.

CISA listing and the May 10, 2026 FCEB compliance deadline

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog, triggering an obligation for Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by May 10, 2026. The inclusion in KEV signals that CISA regards the vulnerability as sufficiently exploited in the wild to justify mandatory remediation for covered federal agencies.

What this means for administrators, FCEB agencies, and EPMM customers

  • Administrators and security teams: Confirm whether your deployment is on-prem EPMM and, if so, determine whether it is running a version earlier than 12.6.1.1, 12.7.0.1, or 12.8.0.1; apply Ivanti's patches and validate account credentials because successful exploitation requires administrative authentication.
  • Federal Civilian Executive Branch agencies: Meet the CISA KEV remediation requirement by May 10, 2026, and prioritize systems running on-prem EPMM since the CISA listing creates a binding timeline for these agencies.
  • Affected enterprises and EPMM customers: Note Ivanti's clarification that "The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products." Customers should therefore confirm product variants before applying mitigations and, where applicable, follow Ivanti's prior credential-rotation guidance.

Ivanti's advisory stitches together three facts that matter now: a high-severity remote code execution vector tied to administrative credentials, evidence of a small set of in-the-wild exploitation attempts, and federal pressure to remediate quickly. Missing from the record are attribution and the success rate of observed attempts — open questions Ivanti itself highlighted. For organizations that run the on-prem EPMM product, the immediate steps Ivanti and CISA have defined are clear: identify affected installations, apply the supplied patches, and validate account credentials before adversaries can turn administrative access into persistent compromise.

Source: https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

CisaEmerging ThreatsRemote Code ExecutionVulnerability ManagementKnown Exploited VulnerabilitiesCVE-2026-6973Endpoint Manager MobileIvanti EPMM FlawFederal Civilian Executive Branch
Related Intelligence

Continue Reading

Brightly lit office setting with computer workstation and server room in background.

Nissan Breach Exposes Employee Data After Oracle PeopleSoft Exploit

Nissan confirmed a data breach exposing employee information after a cyberattack exploited a critical vulnerability in Oracle PeopleSoft, part of a larger campaign that may have compromised hundreds of companies. The breach was tied to a specific threat actor targeting Nissan's personnel records.

Analyst 207
Brightly-lit office setting with a large window and subtle tech hint.

ShinyHunters Breach Exposes NAIC's Public Data

The National Association of Insurance Commissioners (NAIC) revealed that a breach exposed its public data after an unauthorized third party exploited a PeopleSoft vulnerability, identified as CVE-2026-35273, tied to the notorious ShinyHunters extortion group. This security issue allowed attackers to gain access to a portion of NAIC's IT systems, compromising sensitive information.

Analyst 207
Laptop on a desk with a Google Chrome browser window open displaying a search engine results page.

Malicious Chrome Extension Exploits Search Functionality for Data Interception

A malicious Chrome extension, masquerading as a popular AI search engine, was discovered to be secretly logging users' searches and address bar inputs, with Microsoft confirming that the data collection was no accident. The extension, since removed by Google, cleverly disguised itself as a legitimate tool, routing queries through an attacker-controlled server.

Analyst 207
Brightly-lit industrial setting shows subtle signs of disruption.

The Gentlemen Ransomware Gang Exposes Advanced Tactics

Meet The Gentlemen, a notorious ransomware gang that's made a name for itself with sophisticated tactics, ranking among the top 10 ransomware actors in just a few months. Since February 2026, they've been wreaking havoc across industries and geographies, with a strong presence in Brazil, China, Indonesia, Taiwan, and Thailand.

Analyst 207