Ivanti calls it 'authenticated RCE.' The authentication was stolen in January.

The “authenticated” in “authenticated RCE” only matters if the authentication costs the attacker something. For CVE-2026-6973, it does not. The credentials are already in the attacker’s hand. They have been since January.

CVE-2026-1340 was a pre-auth RCE in the same product, disclosed and patched on January 29 under a three-day CISA KEV deadline. GreyNoise counted 417 exploitation sessions in the nine days that followed, eighty-three percent of them from a single bulletproof-hosted IP. Pre-auth RCE on an MDM appliance does not just run code — it walks out with whatever the running process can read, and on EPMM the running process can read the credential store. Every admin password, every API key, every service account configured on the appliance was harvestable through any one of those 417 sessions.

The advisory for CVE-2026-1340 told operators to patch. It did not tell them to rotate. Many did not. A patched appliance with leaked credentials in circulation is not a closed door — it is a closed door with the key sitting under the mat. The window between January and May is exactly the kind of window an attacker who runs disciplined infrastructure plans for: harvest in one campaign, store, wait for the next bug in the same product to require the credential you already have, redeploy.

That is what CVE-2026-6973 is. Ivanti has said as much itself, in the advisory, in their own words: “high confidence” that the credentials being used belong to the January wave. The vendor knows. The advisory still treats this as a new disclosure on its own terms, with a CVSS vector that scores PR:H as a meaningful barrier. The barrier was demolished four months ago.

The operational story has two halves and they are running on different clocks. The May patch (12.6.1.1, 12.7.0.1, 12.8.0.1) installs in seconds and is the easy half — it closes the new bug. The credential rotation is the half that does the work, and it is the half that should have been done in January. If your team patched the January advisory and the rotation ticket either does not exist or sits in the backlog, you are running an appliance that is currently being attacked through a credential you still have a clean record of.

The CISA three-day deadline on the May advisory is the same three days they gave the January advisory. The compression is consistent with exploitation tempo that Ivanti’s “very limited” framing under-represents. A three-day KEV deadline applied to two consecutive advisories in the same product family inside four months is not language CISA uses to suggest the situation is stable.

What an honest read of the May advisory does to the January ticket: it re-opens it. The patch checkmark from January was correct at the time. The credential-rotation step that was implicit in “your appliance was exposed to pre-auth RCE for the disclosure window” is no longer implicit — Ivanti has now named the leak and identified the actor using it. Operators who deferred the rotation as overkill in January have new evidence that it was the load-bearing remediation step, not the optional one.

The narrower lesson is product-specific. The wider one is that “PR:H” on a CVSS vector means “high privileges required to exploit,” not “high privileges that any rational attacker still has to earn.” When a prior bug in the same appliance leaked the credentials, that distinction collapses. The vector field continues to read PR:H. The exploitation reads PR:N. Read the chain, not the vector.