ctipilot.ch

Home · Live brief · Daily brief 2026-05-08

CVE-2026-6973 — Ivanti EPMM admin API improper input validation → RCE (CVSS 7.2, CISA KEV deadline 2026-05-10)

notable vulnerability discovered 2026-05-08 05:00 UTC single-source

Part of run 2026-05-08-migrated (intel · unknown)

An authenticated administrative user can pass crafted input to an EPMM REST API endpoint, triggering OS-level code execution at the service account privilege level (CWE-20). Standalone, this requires admin credentials; chained after CVE-2026-5787 it is fully pre-auth. CISA KEV deadline: 2026-05-10. EU internet-exposed on-prem instances: approx. 508 (Censys/Shodan). Fixed in 12.6.1.1, 12.7.0.1, 12.8.0.1.

“An authenticated administrative user can pass crafted input to an EPMM REST API endpoint, triggering OS-level code execution at the service account privilege level (CWE-20).” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce cisa-kev patch-available global CVE-2026-6973