Emerging Threats

Ivanti Discloses High-Severity EPMM Flaw Exploited in Zero-Day Attacks

Analyst 207||Source: BleepingComputer
IT staff members work at a computer terminal in a brightly-lit server room with a blurred monitoring screen in the…

"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," the company said.

Ivanti advisory and products affected

Ivanti warned customers on May 7, 2026, to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM). The company said the issues only affect the on-prem EPMM product and are not present in Ivanti Neurons for MDM (Ivanti's cloud-based unified endpoint management solution), Ivanti EPM, Ivanti Sentry, or any other Ivanti products. To mitigate the zero-day, Ivanti advised installing Ivanti EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1 and reviewing accounts with Admin rights — rotating credentials where necessary.

CVE-2026-6973: what the flaw allows and who must be authenticated

The flaw tracked as CVE-2026-6973 stems from an Improper Input Validation weakness. Ivanti said it allows remote attackers with administrative privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier. The company emphasized that successful exploitation requires admin authentication. Ivanti also noted that customers who followed its January recommendation to rotate credentials after earlier exploited EPMM bugs (CVE-2026-1281 and CVE-2026-1340) will have a significantly reduced risk from CVE-2026-6973.

Four additional high-severity fixes released today

Alongside CVE-2026-6973, Ivanti released patches for four other high-severity EPMM flaws: CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821. According to Ivanti, these flaws can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information. The company said it has no evidence these additional flaws have been exploited in the wild. Ivanti also warned that CVE-2026-7821 — which can be exploited without privileges — affects only users who use and have configured Apple Device Enrollment.

Public exposure: Shadowserver's internet scan

Internet security watchdog Shadowserver reports more than 850 IP addresses with Ivanti EPMM fingerprints exposed online. Most are in Europe (508), followed by North America (182). Ivanti and third-party trackers did not provide information on how many of those internet-facing instances have already been patched against attacks exploiting CVE-2026-6973.

What this means for technologists, policymakers, and procurement leaders

  • Technologists and security teams: Apply the Ivanti EPMM updates (12.6.1.1, 12.7.0.1, or 12.8.0.1), audit accounts with Admin rights, and rotate credentials where necessary — actions Ivanti explicitly recommends. Remember that exploitation of CVE-2026-6973 requires admin authentication, but earlier EPMM zero-days were exploited in the wild.
  • Policymakers and regulators: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave U.S. government agencies four days in April to secure systems against CVE-2026-1340, and CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild (12 of which were also abused by ransomware). Those prior actions underscore why rapid patching and oversight remain priorities.
  • Procurement and enterprise leaders: Ivanti supplies IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide. Given a history of multiple EPMM zero-days exploited in attacks that breached a wide range of targets — including government agencies worldwide — buyers and partners should confirm patching status and credential hygiene in their fleets.

Ivanti's advisory is a reminder that on-premises management platforms with internet-facing fingerprints remain an attractive target: the company reports limited exploitation for CVE-2026-6973 so far, but Shadowserver's scan shows hundreds of exposed instances and CISA's historical advisories document a pattern of repeated, high-impact EPMM flaws. The concrete, immediate actions from Ivanti — install the supplied patches and review Admin credentials — are the steps the vendor has identified to reduce risk now.

Source: BleepingComputer — Ivanti warns of new EPMM flaw exploited in zero-day attacks

Emerging ThreatsIvantiRemote Code ExecutionVulnerability ManagementZero-DayEPMMCVE-2026-6973Endpoint Manager Mobile
Related Intelligence

Continue Reading

Cluttered office desk with desktop computer showing WhatsApp notification, surrounded by financial papers and documents.

WhatsApp Phishing Attack Exploits Business Docs to Hack PCs Globally

Beware of WhatsApp messages from familiar contacts with suspicious attachments - they might be part of a global phishing attack that's spreading rapidly across 11 countries, disguising malware as legitimate business documents. These cunning messages contain hidden threats that can hijack your PC, all thanks to a simple click on a malicious file.

Analyst 207

Attacker Exploits JaredFromSubway MEV Bot in $15 Million Crypto Heist

In a shocking crypto heist, an attacker swiped a whopping $15 million from JaredFromSubway's MEV bot by cleverly manipulating its logic with fake pools and tokens. The attacker tricked the bot into granting access to helper contracts, ultimately draining $15 million in WETH, USDC, and USDT.

Analyst 207
Modern office setting with computer servers and symbolic breach objects.

Icarus Hack Exposes Hundreds of Firms in Supply-Chain Breach

On June 11, a massive supply chain breach occurred when hackers exploited a weak link at Klue, a market intelligence provider used by over 250,000 companies worldwide, gaining access to sensitive data across hundreds of firms. The attackers used a compromised legacy credential to obtain OAuth tokens and infiltrate connected customer environments.

Analyst 207
Rack-mounted networking equipment, including a prominent FortiGate device, in a brightly-lit network operations center.

FortiBleed Campaign Exploits FortiGate Devices to Harvest Credentials

A massive cyber operation, known as FortiBleed, has been secretly targeting over 430,000 FortiGate firewalls worldwide since February 2026, allowing hackers to harvest and crack sensitive VPN and authentication credentials on a huge scale. This alarming campaign has enabled large-scale credential harvesting, putting countless online security systems at risk.

Analyst 207