Ivanti EPMM zero-day exploited in limited attacks as admins are urged to patch
5 min. read 
Published on
Ivanti has released emergency security updates for Endpoint Manager Mobile after confirming limited exploitation of a new zero-day vulnerability. The flaw, tracked as CVE-2026-6973, affects on-premises EPMM deployments and can let a remotely authenticated administrator execute code on vulnerable systems.
The issue is not an unauthenticated bug. Successful exploitation requires administrative access, which makes stolen or previously compromised admin credentials a major concern for affected customers.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Ivanti also patched four other high-severity EPMM vulnerabilities in the same update. The company says it has not seen customer exploitation of those additional flaws at the time of disclosure.
What Ivanti disclosed
CVE-2026-6973 is an improper input validation vulnerability in Ivanti EPMM. It affects versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The vulnerability has a CVSS score of 7.2 and can allow remote code execution when the attacker already has administrative access. That access requirement lowers the scope compared with unauthenticated flaws, but it does not make the issue low risk.
Mobile device management platforms hold sensitive control over enterprise phones, tablets, applications, certificates, and access policies. A compromised EPMM server can give attackers a powerful position inside an organization’s device management infrastructure.
At a glance
| Item | Details |
|---|---|
| Main vulnerability | CVE-2026-6973 |
| Product | Ivanti Endpoint Manager Mobile |
| Affected deployments | On-premises EPMM only |
| Fixed versions | 12.6.1.1, 12.7.0.1, and 12.8.0.1 |
| Severity | High, CVSS 7.2 |
| Access required | Remote authenticated admin access |
| Impact | Remote code execution |
| Exploitation status | Limited exploitation observed |
Which Ivanti products are affected
The May 2026 update applies to on-premises Ivanti Endpoint Manager Mobile. Ivanti says the issues do not affect Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti products.
This distinction matters because similarly named Ivanti products can create confusion during patching. Administrators should confirm the exact product and version before deciding whether the advisory applies to their environment.
Organizations running on-premises EPMM should treat the update as urgent. CISA added CVE-2026-6973 to its Known Exploited Vulnerabilities catalog and set a May 10, 2026 remediation deadline for U.S. federal civilian agencies.
Other vulnerabilities patched in the same update
| CVE | Severity | Issue type | Potential impact |
|---|---|---|---|
| CVE-2026-6973 | 7.2 | Improper input validation | Remote code execution by an authenticated admin user. |
| CVE-2026-5786 | 8.8 | Improper access control | A remote authenticated attacker could gain administrative access. |
| CVE-2026-5787 | 8.9 | Improper certificate validation | A remote unauthenticated attacker could impersonate registered Sentry hosts and obtain valid client certificates. |
| CVE-2026-5788 | 7.0 | Improper access control | A remote unauthenticated attacker could invoke arbitrary methods. |
| CVE-2026-7821 | 7.4 | Improper certificate validation | A remote unauthenticated attacker could enroll a restricted unenrolled device and expose appliance information. |
Why admin credential review matters
The most important detail is the authentication requirement. CVE-2026-6973 needs admin access, so attackers need valid privileged credentials before they can exploit it.
The Centre for Cybersecurity Belgium said Ivanti has high confidence that administrative credentials used in exploitation came from earlier compromise activity tied to CVE-2026-1340, one of the Ivanti EPMM flaws disclosed in January 2026.
That makes credential rotation a key part of the response. Patching closes the vulnerability, but stolen admin credentials can still create risk if organizations leave them active.
Why EPMM remains a high-value target
Endpoint Manager Mobile sits close to sensitive enterprise workflows. It helps manage mobile devices, applications, configuration profiles, certificates, and access rules.
Attackers have repeatedly targeted Ivanti products because these systems can provide broad administrative reach. A successful compromise may expose device data, internal configuration details, authentication material, or trusted management channels.
This also explains why government agencies and security vendors move quickly when Ivanti vulnerabilities appear in active attacks. Even limited exploitation can become more dangerous after public disclosure.
What administrators should do now
- Upgrade on-premises EPMM to version 12.6.1.1, 12.7.0.1, or 12.8.0.1.
- Review all accounts with administrative rights in EPMM.
- Rotate EPMM admin credentials, especially if the environment was affected by January 2026 EPMM flaws.
- Check whether any unused or shared administrator accounts still exist.
- Restrict administrative interfaces to trusted networks only.
- Review Apache access logs and authentication records for suspicious activity.
- Monitor for unusual device enrollment, certificate, and administrative actions.
- Confirm that cloud-based Ivanti Neurons for MDM environments are not treated as affected on-premises EPMM systems.
What security teams should monitor
Security teams should look for unexpected administrative logins, changes to enrollment settings, new certificates, unusual API calls, and activity from unfamiliar IP addresses.
They should also review whether any EPMM administrator accounts received password resets, MFA changes, or privilege changes before the patch. Those events can help reveal whether attackers already had the access needed to exploit CVE-2026-6973.
Organizations that previously investigated CVE-2026-1281 or CVE-2026-1340 should revisit those cases. Older compromise activity may still matter if credentials were not rotated after the January advisory.
Why Ivanti expects more disclosures
Ivanti said it has started using advanced AI and large language models in its product security and engineering red team processes. The company says this helped its teams find vulnerabilities that traditional SAST and DAST tools missed.
The company also said it keeps humans involved to verify automated findings. Ivanti expects this process to increase the number of vulnerabilities it finds, fixes, and discloses.
For customers, that means patch cycles may become more frequent. The practical response is to keep accurate inventories, subscribe to Ivanti security alerts, and test EPMM update procedures before emergency advisories arrive.
FAQ
No. Ivanti says Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, and other Ivanti products are not affected by these EPMM vulnerabilities.
Ivanti lists 12.6.1.1, 12.7.0.1, and 12.8.0.1 as fixed versions for affected on-premises EPMM deployments.
Yes. Ivanti says it has seen very limited exploitation of CVE-2026-6973, and CISA has added it to the Known Exploited Vulnerabilities catalog.
CVE-2026-6973 is an improper input validation vulnerability in Ivanti Endpoint Manager Mobile that can allow remote code execution by an authenticated administrator.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages