CVE-2026-6973: Ivanti EPMM Improper Input Validation Enables Authenticated RCE

Background

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, is a widely-deployed enterprise mobile device management (MDM) platform. It manages the configuration, security policy, and application deployment for corporate iOS, Android, and Windows mobile devices. Organisations in healthcare, government, finance, and professional services rely on EPMM as the authoritative system for mobile fleet management.

Ivanti’s products have faced sustained security scrutiny — CVE-2026-6973 is the latest in a series of critical vulnerabilities affecting EPMM, following earlier exploitation of CVE-2023-35078 and CVE-2023-35082 which affected millions of devices globally. Threat actors are specifically targeting MDM platforms because a compromised MDM server can push malicious profiles to every managed device in an organisation.

The authentication requirement (CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) drops the score to 7.2, but in practice the authentication bar is lower than it appears — the vulnerability is exploitable with any valid admin-level account, and EPMM admin accounts are often shared across IT teams with weak password policies.

Technical Mechanism

The vulnerability exists in EPMM’s administrative web console, specifically within the MDM configuration import functionality. EPMM allows administrators to import device configuration profiles in XML format. The XML parser that processes these imports passes certain user-controlled string fields directly into a system command without adequate sanitisation.

The vulnerable code path handles the displayName field within MDM profile XML:

<MobileProfile>
  <displayName>Profile$(command injection here)</displayName>
  ...
</MobileProfile>

The displayName value is interpolated into a shell command used to log the import event. The logging subsystem uses Runtime.exec() with a shell invocation, and the input is not sanitised for shell metacharacters. An attacker supplying a displayName value containing backtick-wrapped commands or $(...) syntax achieves command injection that executes as the tomcat user running the EPMM application server.

The tomcat user on affected EPMM versions has sudo NOPASSWD entries for several administrative scripts, enabling trivial privilege escalation from tomcat to root in a secondary step. The full chain — authenticated RCE as tomcat, then sudo privesc to root — constitutes complete server compromise.

Real-World Exploitation Evidence

CISA’s addition of CVE-2026-6973 to the KEV catalogue followed notifications from government agencies observing their EPMM instances being queried by threat actors probing for vulnerability indicators. Unlike unauthenticated vulnerabilities that attract opportunistic mass exploitation, this vulnerability is being exploited in targeted campaigns where adversaries have already obtained valid admin credentials via phishing or credential stuffing against the EPMM login portal.

Confirmed post-exploitation activity includes:

• MDM profile distribution pushing malicious configuration profiles to all managed iOS and Android devices
• Certificate authority key extraction from EPMM’s keystore, enabling certificate spoofing for corporate mobile apps
• Exfiltration of the device inventory database (all enrolled device identifiers, user assignments, and compliance states)
• Persistence via scheduled jobs added to the EPMM Linux host

In two documented incidents, attackers pivoted from the compromised EPMM server to internal network segments reachable from the EPMM VLAN.

Impact Assessment

The impact is asymmetric because of what EPMM controls:

• Fleet-wide device compromise: A malicious MDM profile pushed from a trusted server will be accepted and installed by all enrolled devices. Profiles can install untrusted certificate authorities, VPN configurations redirecting traffic, or restrictions/modifications to device security settings.
• Certificate trust abuse: EPMM stores signing certificates for app management. Their compromise enables app impersonation.
• Identity data: EPMM integrations with Active Directory and SCIM sources mean the compromised server may have read access to user identity stores.

The authentication requirement provides some protection in well-governed environments with MFA on admin accounts, but represents a lower bar in organisations with shared admin credentials or no MFA enforced.

Affected Versions

Remediation Steps

1. Upgrade EPMM: Apply the 11.10.0.4 patch via the EPMM Admin Portal under Admin > EPMM Updates. Ivanti provides upgrade guides for each version track.

2. Enable MFA on admin accounts: Enforce multi-factor authentication for all EPMM administrator accounts. This significantly raises the bar for exploiting this vulnerability.

3. Restrict admin console access: Limit EPMM admin portal access (default TCP/443) to corporate VPN or management network IP ranges using firewall rules or EPMM’s built-in access control features.

4. Audit recent profile distributions: Review the EPMM audit log (Logs > Event Logs) for unexpected profile push events to large device groups or at unusual hours.

5. Rotate certificates: If compromise is suspected, rotate all certificates stored in EPMM’s keystore, including the MDM push certificate, APNS certificates, and any code-signing certificates.

6. Review sudo configurations: After patching, audit /etc/sudoers and /etc/sudoers.d/ on the EPMM host for excessive NOPASSWD entries.

Detection Guidance

EPMM logs suspicious activity in /var/log/tomcat/catalina.out. Look for:

• Profile import events containing shell metacharacters ($, backticks, |, &&) in field values
• Unexpected process spawning from the tomcat user (visible via ps auxf or process accounting if enabled)
• New files in /var/lib/tomcat/ or unexpected cron entries for the tomcat user
• Outbound connections from the EPMM server to non-Ivanti IP ranges

YARA-style indicator: flag XML profile imports where displayName field contains \$\(, `, or %60 (URL-encoded backtick).

Timeline