Security & Infrastructure Tools
Ivanti warns of new EPMM flaw exploited in zero-day attacks
Ivanti has issued a warning about a new high-severity remote code execution flaw in Endpoint Manager Mobile (EPMM), CVE-2026-6973, being exploited in zero-day attacks. The vulnerability affects EPMM versions up to 12.8.0.0 and requires admin authentication; users are urged to upgrade to 12.6.1.1, 12.7.0.1, or 12.8.0.1 and to rotate admin credentials. Ivanti says cloud products are unaffected and exploitation appears limited, though hundreds of EPMM IPs are exposed online per Shadowserver. The company also patched four additional high-severity EPMM flaws (CVE-2026-5786/7/8 and 7821) with no confirmed in-the-wild exploitation, while earlier CVEs (1281/1340) had been exploited in the wild.
Ivanti warns of new EPMM flaw exploited in zero-day attacks
OverviewIvanti has alerted customers to a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM). The flaw, tracked as CVE-2026-6973, stems from an improper input validation weakness that allows remote attackers with administrative privileges to run arbitrary code on targeted systems. The vulnerability affects EPMM versions 12.8.0.0 and earlier and is currently being exploited in zero-day attacks against on-premises deployments. Ivanti has issued patches for affected versions and issued guidance to review and rotate privileged accounts.
Technical details and affected products
- Vulnerability: CVE-2026-6973
- Impact: Remote code execution (RCE) via improper input validation
- Affected product: Ivanti Endpoint Manager Mobile (EPMM) on-premises
- Affected versions: EPMM 12.8.0.0 and earlier
- Not affected: Ivanti Neurons for MDM, Ivanti EPM (distinct product), Ivanti Sentry, or other Ivanti products
Mitigation and patch information
- Ivanti-released patches for this and related issues: EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1
- Credential hygiene: Ivanti advises reviewing accounts with Admin rights and rotating those credentials where necessary
- Exploitation status: At disclosure time, Ivanti noted that exploitation of CVE-2026-6973 was very limited and required admin authentication for success
- Additional context: Ivanti stated the issues affect only the on-prem EPMM product and are not present in cloud-based solutions such as Ivanti Neurons for MDM, Ivanti EPM, or Ivanti Sentry
Exposure and global reach
- Shadowserver findings: More than 850 IP addresses with Ivanti EPMM fingerprints exposed online
- Geographic distribution: Europe accounts for 508 exposed IPs; North America accounts for 182
- Patch status: There is no information available on how many of these IPs have been patched against CVE-2026-6973
Other high-severity EPMM vulnerabilities and patchesIvanti also released patches for four additional high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821). These flaws could potentially allow attackers to:
- Gain administrative access
- Impersonate registered Sentry hosts to obtain valid CA-signed client certificates
- Invoke arbitrary methods
- Access restricted information
Key notes:
- Ivanti said there is no evidence these four flaws have been exploited in the wild
- CVE-2026-7821 can be exploited by attackers without privileges and affects only users who have configured Apple Device Enrollment
Earlier zero-days and credential rotation guidance
- January disclosures: CVE-2026-1281 and CVE-2026-1340 were code-injection vulnerabilities exploited in zero-day attacks affecting a very limited number of customers
- If customers followed Ivanti’s January guidance to rotate credentials for those exploited with CVE-2026-1281 and CVE-2026-1340, the risk of exploitation from CVE-2026-6973 was reduced
Regulatory and government responses
- In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems within four days to guard against CVE-2026-1340 attacks
- Ivanti has highlighted a broader history of EPMM-related vulnerabilities being exploited in the wild in recent years, including several that led to code execution attacks
Historical context and scope
- Ivanti EPMM has experienced multiple zero-day and code-injection vulnerabilities in the past
- Public security monitoring shows a pattern of Ivanti EPMM vulnerabilities being exploited across various sectors, including government entities
- In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, with 12 of those also used by ransomware operators
Ivanti’s market presence and partner network
- Ivanti provides IT asset management products to more than 40,000 customers
- The company operates through a network of more than 7,000 partners worldwide
Closing contextThe CVE-2026-6973 disclosure underscores the ongoing risk landscape around on-premises EPMM deployments and the ongoing relevance of credential hygiene for privileged accounts. While Ivanti notes limited exploitation to date for the newly disclosed CVE, the combination of on-prem exposure and the history of related IVANTI vulnerabilities emphasizes the importance of timely patching and monitoring for administrators managing EPMM environments. The broader set of patches for additional CVEs (5786–5788 and 7821) further delineates the vendor’s ongoing response to multiple critical flaws, even as evidence of active in-the-wild exploitation remains uneven across different vulnerabilities and configurations.
