UPDATE: Ivanti EPMM CVE-2026-6973 — KEV deadline expired today; ~850 internet-exposed instances globally with 508 in Europe; companion CVE-2026-5786/5788 ship in same patch
From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →
UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): The CISA KEV remediation deadline for CVE-2026-6973 (Ivanti EPMM admin API improper input validation → RCE, CVSS 7.2) expired today (2026-05-10) (Ivanti PSIRT, 2026-05-07 · BleepingComputer, 2026-05-07 · SecurityWeek, 2026-05-08).
Shadowserver telemetry cited by BleepingComputer counts ~850 internet-exposed EPMM instances globally with 508 in Europe and 182 in North America — i.e. European EPMM exposure is materially larger than the rest of the world combined. SecurityWeek's analysis notes a Chinese-actor assessment based on historical EPMM exploitation patterns; Ivanti has confirmed exploitation against "a very limited number of customers" without naming them.
The May 2026 EPMM update covers four additional CVEs alongside CVE-2026-6973: CVE-2026-5786 (CVSS 8.8, remote authenticated → administrative-access via improper access control), CVE-2026-5788 (CVSS 7.0, unauthenticated arbitrary method invocation), CVE-2026-5787 (improper certificate validation → pre-auth Sentry impersonation, originally covered in the 2026-05-08 brief deep dive) and CVE-2026-7821 (also high-severity per BleepingComputer / SecurityWeek). Critically, the same May patch supersedes the prior CVE-2026-1281 / CVE-2026-1340 RPM workaround issued for the January 2026 unauthenticated RCEs — meaning EPMM operators that are still on the January workaround need to apply the proper patch now. Fixed builds: 12.6.1.1, 12.7.0.1, 12.8.0.1.