Skip to content
Tech News
← Back to articles

Ivanti warns of new EPMM flaw exploited in zero-day attacks

2026-05-07 | original
read original get Ivanti EPMM Security Patch → more articles
Why This Matters

The discovery of a critical zero-day vulnerability in Ivanti's Endpoint Manager Mobile highlights the ongoing risks of remote code execution in enterprise management tools. This underscores the importance for organizations to promptly update their systems and review access controls to prevent potential exploitation. As attackers increasingly target endpoint management solutions, timely patches and vigilant security practices are essential for safeguarding sensitive corporate data.

Key Takeaways

Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks.

The security flaw (tracked as CVE-2026-6973) stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.

Ivanti says customers can mitigate the zero-day by installing Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and advises customers to review accounts with Admin rights and rotate those credentials where necessary.

"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," the company said.

"The issues only affect the on-prem EPMM product, and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM (a similarly named, but different product), Ivanti Sentry, or any other Ivanti products."

Internet security watchdog Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, most of them from Europe (508) and North America (182).

However, there is no information on how many of them have already been patched against attacks exploiting the CVE-2026-6973 vulnerability.

Ivanti EPMM IPs exposed online (Shadowserver)

​Today, Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information.

However, the company said it has no evidence that these flaws have been exploited in the wild and noted that CVE-2026-7821 (which can be exploited by attackers without privileges) affects only users who use and have configured Apple Device Enrollment.

... continue reading

Explore topics: ivanti epmm zero-day vulnerability remote code execution
Related:
Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives"
This critical Linux vulnerability is putting millions of systems at risk - how to protect yours
Exploit Cyber-Frenzy Threatens Millions via Critical cPanel Vulnerability
Weaver E-cology critical bug exploited in attacks since March
Securing a DoD Contractor: Finding a Multi-Tenant Authorization Vulnerability

© 2026 GoKawiil

About | Editorial Policy | Contact