Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.
The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.
“At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today,” the company said.
“The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products.”
Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe (508) and North America (182).
However, there is no information on how many of them have already been patched against attacks exploiting the CVE-2026-6973 vulnerability.
Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.
However, the company said it has no evidence that these flaws have been exploited in the wild and noted that CVE-2026-7821 (which can be exploited by attackers without privileges) affects only users who use and have configured Apple Device Enrollment.
In January, Ivanti disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a “very limited number of customers.”
“If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the company added today.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave U.S. government agencies 4 days to secure their systems against CVE-2026-1340 attacks.
Multiple other Ivanti EPMM zero-days have been exploited in attacks in recent years to breach a wide range of targets, including government agencies worldwide. In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were also abused by various ransomware operations.
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
