CVE- 2026-6973 is a high-severity remote code execution flaw in Ivanti Endpoint Manager Mobile (EPMM) on-prem deployments that becomes accessible only after remote authentication with administrative privileges. Ivanti has patched the vulnerability and public reporting notes that exploitation has occurred in the wild, with government and prioritisation signals urging rapid remediation.
The advisory scope confirms the vulnerability affects on‑prem EPMM, while other Ivanti products such as Ivanti Neurons for MDM (cloud) are out of scope for this advisory set. The fixed releases are 12.6.1[.]1, 12.7.0[.]1, and 12.8.0[.]1, and users on 12.6.x, 12.7.x, or 12.8.0[.]0 should treat the flaw as vulnerable until updated.
According to CISA KEV, there is a specific patch window with a deadline of 10 May 2026 for federal agencies, and as of 7 May 2026 Shadowserver tracked over 800 internet‑exposed Ivanti EPMM instances globally. Defenders are advised to prioritise patching, audit admin access, rotate credentials, and monitor for unusual admin activity.