CISA has added CVE‑2026‑6973 to its Known Exploited Vulnerabilities catalogue, affecting Ivanti’s Endpoint Manager Mobile (EPMM). The vulnerability, named Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability, allows a remotely authenticated user with administrative privileges to achieve remote code execution.
The flaw stems from improper input validation within EPMM, enabling an attacker who has obtained valid admin credentials to inject and execute arbitrary code on the server. It is rated CVSS 7.2 (HIGH) and impacts the confidentiality, integrity and availability of the affected system. A patch is available from Ivanti, and the advisory provides mitigation steps for environments where immediate patching is not feasible.
Active exploitation of this vulnerability has been confirmed, which is the basis for its inclusion in the KEV catalogue. No known ransomware campaign has been linked to CVE‑2026‑6973 at this time. CISA requires that Federal Civilian Executive Branch (FCEB) agencies apply the prescribed mitigations by 10 May 2026, following the remediation due date associated with the KEV entry.
CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While this directive binds FCEB agencies, all organisations should review their exposure to Ivanti EPMM and implement the recommended mitigations or patches promptly. For full details, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-6973 and the CISA KEV catalogue.