Ivanti said attackers are exploiting a high-severity vulnerability in its Endpoint Manager Mobile product to gain administrative access to servers [1].
This flaw is critical because it allows unauthorized actors to take control of mobile device management servers, which oversee the security and configuration of an organization's entire mobile fleet. Compromised servers can serve as gateways for deeper network penetration or data theft.
The vulnerability, identified as CVE-2026-6973 [1], is a remote code execution flaw caused by improper input validation [2]. It carries a CVSS base score of 7.2 [1]. The flaw affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 [1].
Reports indicate the vulnerability is being used in limited attacks globally [3]. A handful of European government agencies, and various enterprise customers, have already been compromised [4, 5].
There is a discrepancy among security reports regarding the level of access required for the attack. Some reports said that a remotely authenticated user with administrative access is required to execute the code [1]. Other reports suggest that attackers are gaining unauthenticated access to seize control of the servers [3].
Ivanti has released patches to address the flaw. The Cybersecurity and Infrastructure Security Agency (CISA) has set a remediation deadline of May 10, 2026 [1]. Organizations using the affected software are urged to update their systems immediately to prevent further exploitation.
“Attackers are exploiting a high-severity vulnerability in its Endpoint Manager Mobile product”
The exploitation of MDM servers represents a high-value target for state-sponsored or advanced persistent threat actors. Because these servers hold privileged access to a wide array of corporate and government mobile devices, a single breach can compromise the integrity of an entire mobile ecosystem, bypassing traditional endpoint security.
