What happened
Ivanti has disclosed a high-severity remote code execution vulnerability in Endpoint Manager Mobile, tracked as CVE-2026-6973, that has been actively exploited in zero-day attacks against a limited number of customers. CISA added the flaw to its Known Exploited Vulnerabilities catalog within hours of disclosure and ordered federal agencies to patch by May 10, 2026.
The vulnerability stems from improper input validation and allows remote attackers with administrative privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. Patches are available in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Ivanti has recommended that customers review all accounts with administrative rights and rotate those credentials. There are currently no reliable indicators of compromise for CVE-2026-6973.
Ivanti’s advisory noted that customers who followed its January recommendation to rotate credentials after being compromised by CVE-2026-1281 and CVE-2026-1340 are at significantly reduced risk from the new zero-day. The January vulnerabilities were unauthenticated critical-severity code injection flaws also exploited as zero-days, affecting nearly 100 victims including Dutch government entities. Security researchers have assessed that CVE-2026-6973 may have been chained with those earlier unauthenticated flaws, with attackers first gaining access via the January vulnerabilities before leveraging administrative credentials for the new RCE. Attribution has not been confirmed, though prior EPMM zero-days have been exploited by China and Iran-linked threat actors.
In the same update, Ivanti also patched four additional high-severity EPMM vulnerabilities, CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, covering privilege escalation, certificate impersonation, arbitrary method invocation, and information disclosure. None of these have confirmed active exploitation, and CVE-2026-7821 only affects users who have configured Apple Device Enrollment. Shadowserver tracks over 850 EPMM appliances exposed online, concentrated primarily in Europe and North America. CISA has now flagged 34 Ivanti vulnerabilities as exploited in the wild, 12 of which have been used in ransomware operations.
Who is affected
Organizations running Ivanti EPMM on-premises at versions 12.8.0.0 and earlier are directly exposed. Government agencies, healthcare providers, and enterprise organizations with EPMM deployments face the greatest targeted risk based on historical Ivanti exploitation patterns. Organizations that did not rotate credentials following the January 2026 EPMM compromises face compounded exposure.
Why CISOs should care
This is the third Ivanti EPMM zero-day exploitation event in 2026 alone. The pattern is consistent: Ivanti discloses a vulnerability with confirmed active exploitation, CISA adds it to KEV with a short federal deadline, and private sector organizations face the same risk without the same mandate. CISA has now flagged 34 Ivanti vulnerabilities as exploited since late 2021, establishing this product line as one of the most persistently targeted in enterprise security infrastructure.
The chaining concern is particularly relevant. If CVE-2026-6973 is being used in chains that began with the January unauthenticated flaws, organizations that were compromised in January but did not conduct thorough forensic investigation and credential rotation may have active adversary access that predates this new vulnerability’s disclosure.
3 practical actions
- Patch EPMM immediately to versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 and rotate all administrative credentials: These are Ivanti’s explicit recommendations. Patching alone is insufficient if administrative credentials were compromised through the January zero-days. Treat credential rotation as a required step alongside the update regardless of whether your organization was a confirmed January victim.
- Conduct a forensic review of EPMM appliances for signs of prior compromise from the January zero-days: If CVE-2026-6973 is being chained with CVE-2026-1281 or CVE-2026-1340, organizations that were not confirmed victims of the January exploitation may still have lingering adversary access. Review Apache access logs at /var/log/httpd/https-access_log for exploitation indicators from the January vulnerabilities and investigate any anomalous activity.
- Review and harden Sentry appliance security in parallel with EPMM patching: Ivanti specifically recommends reviewing Sentry security alongside EPMM due to its dependency on EPMM configuration. Sentry is designed to tunnel traffic from mobile devices to internal network assets, making it a high-value pivot point if the connected EPMM appliance is compromised.​​​​​​​​​​​​​​​​
Also in the news today:
- Fake Claude AI Website Delivers New Beagle Windows Backdoor via Malvertising
- NVIDIA Confirms GeForce NOW Data Breach Affecting Armenian Regional Partner
- Zara Data Breach Exposed Personal Information of 197,000 People
- Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware
- Polish Intelligence Warns Hackers Attacked Water Treatment Control Systems
- New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook
