THREATNOIR
Subscribe
Back to Feed
Zero-dayMay 7, 2026

Ivanti warns of new EPMM flaw exploited in zero-day attacks

Ivanti patches high-severity EPMM zero-day RCE flaw actively exploited in attacks.

Read at source

Summary

Ivanti disclosed CVE-2026-6973, a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that is being actively exploited in zero-day attacks. The flaw stems from improper input validation and affects EPMM 12.8.0.0 and earlier; attackers require administrative privileges to exploit it. Ivanti has released patched versions (12.6.1.1, 12.7.0.1, 12.8.0.1) and notes that over 850 EPMM instances are exposed online, with most located in Europe and North America.

Full text

Ivanti warns of new EPMM flaw exploited in zero-day attacks By Sergiu Gatlan May 7, 2026 11:20 AM 0 Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier. Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary. "At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," the company said. "The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products." Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe (508) and North America (182). However, there is no information on how many of them have already been patched against attacks exploiting the CVE-2026-6973 vulnerability. Ivanti EPMM IPs exposed online (Shadowserver) ​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information. However, the company said it has no evidence that these flaws have been exploited in the wild and noted that CVE-2026-7821 (which can be exploited by attackers without privileges) affects only users who use and have configured Apple Device Enrollment. In January, Ivanti disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a "very limited number of customers." "If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company added today. In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave U.S. government agencies 4 days to secure their systems against CVE-2026-1340 attacks. Multiple other Ivanti EPMM zero-days have been exploited in attacks in recent years to breach a wide range of targets, including government agencies worldwide. In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were also abused by various ransomware operations. Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: CISA gives feds four days to patch Ivanti flaw exploited as zero-dayIvanti fixes EPMM zero-days chained in code execution attacksCISA orders feds to patch exploited Ivanti EPMM flaw by SaturdayPalo Alto Networks warns of firewall RCE zero-day exploited in attacksIvanti warns of two EPMM flaws exploited in zero-day attacks

Indicators of Compromise

  • cve — CVE-2026-6973
  • cve — CVE-2026-5786
  • cve — CVE-2026-5787
  • cve — CVE-2026-5788
  • cve — CVE-2026-7821
  • cve — CVE-2026-1281
  • cve — CVE-2026-1340

Entities

Ivanti (vendor)Endpoint Manager Mobile (EPMM) (product)Ivanti Neurons for MDM (product)Ivanti Sentry (product)Shadowserver (technology)