What Happened
Ivanti disclosed on May 7, 2026 that a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) product is being actively exploited in the wild. The flaw, tracked as CVE-2026-6973 with a CVSS score of 7.2, stems from improper input validation in the on-premises EPMM server. A remotely authenticated attacker with administrative access can exploit the weakness to execute arbitrary code on the underlying system.
Ivanti confirmed a limited number of customer environments have been compromised. The company assessed with high confidence that attackers used administrative credentials stolen through earlier exploitation of CVE-2026-1340, a related EPMM flaw disclosed in January 2026 and also confirmed as exploited. The attack chain demonstrates how chained credential reuse amplifies the risk of unpatched vulnerabilities across the same platform.
All on-premises EPMM versions up to and including 12.8.0.0 are affected. Patches are available in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. The vulnerability does not affect Ivanti Neurons for MDM, Ivanti’s cloud-hosted product. Internet security firm Shadowserver currently tracks over 850 internet-exposed EPMM instances globally, with 182 located in North America — a significant attack surface given active exploitation.
Why This Matters for Canadian Organizations
Ivanti EPMM is widely deployed across Canadian federal government departments, provincial agencies, financial institutions, healthcare networks, and large enterprises as a mobile device management platform. MDM servers hold elevated access to managed device fleets — including the ability to push configurations, enforce policies, and in many cases wipe or access device contents remotely. A compromised EPMM server hands an attacker exceptional reach across an organization’s entire managed device estate.
Government of Canada departments using on-premises EPMM installations face direct exposure. The Canadian Centre for Cyber Security (CCCS) has consistently flagged Ivanti products in previous advisories, and this latest exploitation continues a pattern of threat actors treating Ivanti EPMM as a high-value initial access target in campaigns against government and critical infrastructure sectors. Organizations subject to PIPEDA breach notification obligations must assess whether compromised EPMM instances represent a reportable breach of personal information held on managed devices.
Given that 182 North American EPMM instances are internet-exposed, and that exploitation is confirmed, the window for undetected compromise is actively open for any organization running an unpatched version.
What to Do
Apply the Ivanti-supplied patches to EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 immediately — treat this as an emergency patching event, not a routine update cycle. Conduct a full audit of all accounts with EPMM administrative privileges and rotate credentials for every admin account, regardless of whether exploitation is suspected. Review EPMM access logs for unusual authentication events or API activity going back at least 90 days. If your organization previously ran a vulnerable version of CVE-2026-1340, assume admin credentials may already be in attacker hands and prioritize rotation. Restrict external access to EPMM administrative interfaces through network controls if internet exposure is not operationally required. Check Shadowserver’s exposure data to confirm whether your EPMM instance is visible from the internet. For organizations in regulated sectors, initiate an internal breach assessment in line with PIPEDA obligations while patching proceeds.
Source: BleepingComputer
