Ivanti EPMM zero-day actively exploited - attackers are getting admin-level RCE on mobile device management servers (CVE-2026-6973)

Ivanti disclosed Wednesday that attackers are exploiting a zero-day in Endpoint Manager Mobile (EPMM) to gain admin-level remote code execution on enterprise MDM servers. CVE-2026-6973. Successful exploitation gives the attacker control over the MDM platform that pushes apps and configurations to managed mobile fleets - a foothold that can pivot into managed devices and the corporate identity layer. CISA added the flaw to its Known Exploited Vulnerabilities catalog the same day with a federal patch deadline next week. Ivanti products have a long history of zero-day exploitation.

Check

Inventory Ivanti EPMM (formerly MobileIron Core) instances and check whether any are internet-reachable. Hunt EPMM admin logs for unusual admin actions, new admin accounts, or unfamiliar OAuth tokens issued since April.

Affected

Ivanti Endpoint Manager Mobile (EPMM) installations on versions before the May 6 patch. Acute risk for internet-reachable EPMM instances. The MDM context means a successful exploit can push tampered apps or profiles to every managed mobile device. Federal agencies under BOD 22-01 must patch by mid-May.

Fix

Upgrade Ivanti EPMM to the patched release per Ivanti's advisory. Restrict EPMM admin access to internal networks or VPN-only paths until patched. Rotate EPMM admin credentials and any API tokens issued for downstream integrations (SCEP, certificate authorities, identity providers). Audit managed mobile devices for unfamiliar configuration profiles or VPN configurations pushed since April.