top of page

Ivanti EPMM CVE-2026-6973 RCE Actively Exploited to Grant Admin-Level Access

  • May 7
  • 3 min read

Key Findings


  • Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2026-6973 is under active exploitation in limited attacks, requiring administrative authentication for RCE

  • Five additional vulnerabilities patched in EPMM range from CVSS 7.0 to 8.9, with multiple allowing unauthenticated access and privilege escalation

  • CISA added CVE-2026-6973 to Known Exploited Vulnerabilities catalog, mandating Federal agencies patch by May 10, 2026

  • Palo Alto Networks PAN-OS critical buffer overflow CVE-2026-0300 exploited by suspected state-sponsored group CL-STA-1132 for espionage operations

  • PAN-OS attacker achieved successful RCE after initial unsuccessful attempts and deployed post-exploitation tools consistent with China-nexus threat actors


Background


Ivanti and Palo Alto Networks have disclosed coordinated vulnerability disclosures affecting enterprise infrastructure management and network security products. Both vulnerabilities represent significant risks to organizations, particularly those managing mobile endpoints or edge network infrastructure. The active exploitation of these flaws underscores the continued focus of threat actors on critical infrastructure and administrative systems.


Ivanti EPMM Vulnerability Details


CVE-2026-6973 is an improper input validation flaw affecting EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. The vulnerability carries a CVSS score of 7.2 and requires administrative authentication to exploit. Ivanti confirmed a very limited number of customers have been exploited, though the attribution and success rate of attacks remain unclear.


Customers who rotated credentials following previous Ivanti vulnerabilities CVE-2026-1281 and CVE-2026-1340 have significantly reduced risk from this flaw. The vulnerability only affects on-premises EPMM deployments and does not impact cloud-based Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.


Additional Ivanti Vulnerabilities


Ivanti patched four additional flaws alongside CVE-2026-6973. CVE-2026-5786 (CVSS 8.8) and CVE-2026-5787 (CVSS 8.9) represent particularly high-risk issues. CVE-2026-5786 allows remote authenticated attackers to gain administrative access through improper access control, while CVE-2026-5787 enables unauthenticated attackers to impersonate Sentry hosts and obtain CA-signed client certificates through improper certificate validation.


CVE-2026-5788 (CVSS 7.0) and CVE-2026-7821 (CVSS 7.4) both allow unauthenticated attackers to either invoke arbitrary methods or enroll devices in restricted sets, potentially disclosing EPMM appliance information and compromising device identity integrity.


PAN-OS Critical Vulnerability and Exploitation


CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal service of PAN-OS with a CVSS score of 9.3 or 8.7. The flaw allows unauthenticated attackers to execute code with root privileges by sending specially crafted packets. Palo Alto Networks attributed exploitation attempts to CL-STA-1132, a suspected state-sponsored threat cluster, with initial unsuccessful attempts occurring April 9, 2026.


The attacker successfully achieved RCE approximately one week later by injecting shellcode into an nginx worker process. Following successful exploitation, the threat actor cleared crash kernel messages, deleted nginx crash entries, and removed core dump files to cover their tracks. Patches are expected to roll out starting May 13, 2026.


Post-Exploitation Activities and Attribution


Post-compromise activity by CL-STA-1132 included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tools on April 29, 2026 against a second networked device. Both tools have historical associations with China-nexus hacking groups engaged in cyber espionage. The attacker's reliance on open-source tooling rather than proprietary malware minimized signature-based detection while facilitating environment integration.


Unit 42 noted the threat actor employed a disciplined operational cadence with intermittent interactive sessions spanning multiple weeks, deliberately remaining below automated alerting thresholds. This approach reflects a broader trend of nation-state actors targeting edge-network infrastructure including firewalls, routers, and VPN solutions that provide high-privilege access while lacking robust logging and security tools.


Mitigation and Regulatory Response


Organizations should restrict access to the PAN-OS User-ID Authentication Portal to trusted zones or disable it entirely if unused. Disabling Response Pages in the Interface Management Profile for L3 interfaces exposed to untrusted traffic provides additional protection. Customers with Advanced Threat Prevention can enable Threat ID 510019 from Applications and Threats content version 9097-10022 to block exploitation attempts.


Federal Civilian Executive Branch agencies must apply Ivanti EPMM fixes by May 10, 2026 due to CISA's addition of CVE-2026-6973 to the Known Exploited Vulnerabilities catalog. All organizations using affected products should prioritize patching based on exposure and network connectivity.


Sources


  • https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

  • https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page