Ivanti warns of new EPMM flaw exploited in zero-day attacks

Source: Bleeping Computer

Vulnerability details

• CVE‑2026‑6973 – Improper Input Validation allowing remote attackers with administrative privileges to execute arbitrary code on systems running EPMM 12.8.0.0 and earlier.
• Affected on‑prem product only; not present in Ivanti Neurons for MDM, Ivanti EPM, Ivanti Sentry, or other Ivanti solutions.

Mitigation

Ivanti recommends installing one of the following patched versions:

• EPMM 12.6.1.1
• EPMM 12.7.0.1
• EPMM 12.8.0.1

Additionally, customers should:

1. Review accounts with Admin rights.
2. Rotate credentials where necessary.

“At the time of disclosure, we are aware of very limited exploitation of CVE‑2026‑6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today,” – Ivanti blog.

Exposure statistics

Shadowserver tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, primarily in Europe (508) and North America (182). No data is available on how many of these have been patched against CVE‑2026‑6973.

Additional EPMM vulnerabilities patched

Ivanti also released patches for four other high‑severity issues:

• CVE‑2026‑5786 – Allows attackers to gain admin access.
• CVE‑2026‑5787 – Enables impersonation of registered Sentry hosts to obtain valid CA‑signed client certificates.
• CVE‑2026‑5788 – Permits invocation of arbitrary methods.
• CVE‑2026‑7821 – Grants access to restricted information; exploitable without privileges but only affects users who have configured Apple Device Enrollment.

Ivanti reports no evidence of these flaws being exploited in the wild.

Historical context

• January 2026: Two critical EPMM code‑injection vulnerabilities (CVE‑2026‑1281 and CVE‑2026‑1340) were disclosed and exploited in zero‑day attacks affecting a limited number of customers. Customers who rotated credentials after the January advisory reduced their risk for CVE‑2026‑6973.
  Source: BleepingComputer – Ivanti warns of two EPMM flaws exploited in zero‑day attacks

• April 2026: CISA ordered U.S. government agencies to patch systems against CVE‑2026‑1340 within four days.
  Source: CISA order

• Recent years: Multiple Ivanti EPMM zero‑days have been used in attacks against government agencies worldwide. CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were leveraged by ransomware groups.
  Sources:

  • Ivanti fixes EPMM zero‑days chained in code‑execution attacks
  • Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • Norway says Ivanti zero‑day was used to hack govt IT systems
  • CISA Known Exploited Vulnerabilities Catalog

About Ivanti

Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide.