Emerging ThreatsMalware & Ransomware

Ivanti Discloses Actively Exploited Zero-Day in Endpoint Manager

Analyst 207||Source: CyberScoop
Rows of equipment and racks in a brightly-lit server room with a single unoccupied laptop in the foreground.

"At the time of disclosure, Ivanti is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement," a spokesperson for Ivanti said.

Ivanti confirms active exploitation of CVE-2026-6973

Ivanti warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect in Ivanti Endpoint Manager Mobile (EPMM) that allows authenticated users with administrative privileges to run code remotely. The company said the vulnerability “requires authenticated administrative access to exploit,” and did not disclose when the first instance of exploitation occurred or precisely how many customers have been impacted.

Patches issued for five EPMM flaws, company says four others not seen in the wild

On Thursday Ivanti released patches for five vulnerabilities affecting EPMM, listing CVE-2026-5787, CVE-2026-5788, CVE-2026-6973 and CVE-2026-7821 among the fixes. Ivanti told customers the four additional high-severity defects disclosed alongside CVE-2026-6973 have not been exploited in the wild. The company attributed recent discovery to internal detection supported by advanced AI, customer collaboration, and responsible disclosure; one defect was reported by a former employee.

Federal response: CISA adds zero-day to Known Exploited Vulnerabilities catalog

The Cybersecurity and Infrastructure Security Agency added the newly disclosed zero-day to its known exploited vulnerabilities catalog within hours of Ivanti’s advisory. Ivanti emphasized that customers who followed its January recommendation to rotate EPMM credentials “are at significantly reduced risk,” and that customers unaffected by the prior January vulnerability are at a much lower risk.

Connection to January incidents: CVE-2026-1281 and CVE-2026-1340

Ivanti suggested at least one root cause for the latest zero-day may be lingering risk from two separate critical zero-days—CVE-2026-1281 and CVE-2026-1340—that were exploited starting in late January. Those earlier flaws spread to nearly 100 victims by early February, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary. Ivanti said those earlier vulnerabilities were code-injection flaws that were remotely exploitable without authentication; the company said those have been fixed in the current release.

Caitlin Condon and Ivanti executives on exploitation and transparency

Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop that the administrative privileges required to exploit CVE-2026-6973 “indicates it was possibly exploited as part of an attack chain relying on another method for initial access.” Condon noted that other 2026 Ivanti EPMM CVEs—specifically CVE-2026-1281 and CVE-2026-1340—have been exploited by a range of threat actors, “including China- and Iran-attributed groups.”

Ivanti Chief Security Officer Daniel Spicer has framed the company’s disclosure posture as deliberate. Speaking at RSAC in March, Spicer said, “it doesn’t do our customers any good to be quiet about this,” describing Ivanti’s communication stance with the public, CISA and global partners as “very aggressive,” and adding, “I don’t know that transparency is a core tenant of all other organizations.” Ivanti also noted it serves many government agencies and critical infrastructure operators and flagged that highly skilled, resourced attackers, including nation-state–backed groups, often drive waves of attacks on its customers.

What this means for security teams, policymakers, and affected enterprises

  • Security teams: Apply the Thursday patches for all five EPMM vulnerabilities immediately and verify whether EPMM administrative credentials were rotated following Ivanti’s January guidance; Ivanti says rotated credentials materially reduce risk from CVE-2026-6973.
  • Policymakers and regulators: CISA’s rapid addition of the zero-day to its known exploited vulnerabilities catalog signals continued federal attention; regulators that oversee entities using Ivanti products will likely track remediation and disclosure activity closely.
  • Affected enterprises and procurement leaders: Organizations that deploy Ivanti EPMM should inventory affected systems, confirm patch deployment, and review whether prior January incidents touched their environments given the earlier spread to nearly 100 victims, including national judicial and data-protection bodies.

Ivanti has released patches and reiterated investments in product security, including “advanced AI paired with human verification,” as it seeks to shorten disclosure timelines and reduce exposure. The immediate operational imperative is clear: confirm credential hygiene, deploy the published fixes, and monitor for evidence of chained compromises that could have delivered administrative access prior to the patch.

https://cyberscoop.com/ivanti-epmm-zero-day-vulnerability-exploited/

Emerging ThreatsIvantiRemote Code ExecutionZero-DayExploited VulnerabilityCVE-2026-6973Endpoint ManagerImproper Input ValidationAuthenticated Administrative Access
Related Intelligence

Continue Reading

Cluttered office desk with desktop computer showing WhatsApp notification, surrounded by financial papers and documents.

WhatsApp Phishing Attack Exploits Business Docs to Hack PCs Globally

Beware of WhatsApp messages from familiar contacts with suspicious attachments - they might be part of a global phishing attack that's spreading rapidly across 11 countries, disguising malware as legitimate business documents. These cunning messages contain hidden threats that can hijack your PC, all thanks to a simple click on a malicious file.

Analyst 207

Attacker Exploits JaredFromSubway MEV Bot in $15 Million Crypto Heist

In a shocking crypto heist, an attacker swiped a whopping $15 million from JaredFromSubway's MEV bot by cleverly manipulating its logic with fake pools and tokens. The attacker tricked the bot into granting access to helper contracts, ultimately draining $15 million in WETH, USDC, and USDT.

Analyst 207
Modern office setting with computer servers and symbolic breach objects.

Icarus Hack Exposes Hundreds of Firms in Supply-Chain Breach

On June 11, a massive supply chain breach occurred when hackers exploited a weak link at Klue, a market intelligence provider used by over 250,000 companies worldwide, gaining access to sensitive data across hundreds of firms. The attackers used a compromised legacy credential to obtain OAuth tokens and infiltrate connected customer environments.

Analyst 207
Rack-mounted networking equipment, including a prominent FortiGate device, in a brightly-lit network operations center.

FortiBleed Campaign Exploits FortiGate Devices to Harvest Credentials

A massive cyber operation, known as FortiBleed, has been secretly targeting over 430,000 FortiGate firewalls worldwide since February 2026, allowing hackers to harvest and crack sensitive VPN and authentication credentials on a huge scale. This alarming campaign has enabled large-scale credential harvesting, putting countless online security systems at risk.

Analyst 207