Ivanti Patches EPMM Vulnerability Exploited in Recent Cyberattacks

Ivanti Patches Zero-Day Flaw Exploited in Targeted Attacks

A high-severity vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM) software has been exploited in targeted attacks. The flaw, tracked as CVE-2026-6973, is a improper input validation issue that allows an authenticated attacker with administrative privileges to execute arbitrary code remotely.

In an effort to mitigate potential exploitation of CVE-2026-6973, Ivanti advised customers to rotate credentials following the initial attacks leveraging CVE-2026-1281 and CVE-2026-1340. As a result, the risk of exploitation from CVE-2026-6973 appears to be significantly reduced for affected customers who implemented these recommended changes.

Attack Details

• The exploit was likely used in conjunction with CVE-2026-1281 or CVE-2026-1340, both of which enable an attacker to gain complete control over the targeted MDM infrastructure.
• Chinese threat actors are suspected to be behind the attacks, given the frequency of Ivanti product vulnerabilities being exploited by such groups.

Patch Release and US-CERT Alert

• Ivanti released patches for the EPMM product in May 2026, addressing five vulnerabilities, including CVE-2026-6973.
• Four additional vulnerabilities, tracked as CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, were also addressed in the update.
• These issues could potentially lead to privilege escalation, unauthorized access to client certificates, invocation of arbitrary methods, and information disclosure.
• US-CERT (Cybersecurity and Infrastructure Security Agency) included CVE-2026-6973 in its Known Exploited Vulnerabilities catalog on May 10, 2026, advising federal agencies to remediate the issue within the specified timeframe.

This marks the 34th Ivanti vulnerability to be added to the catalog since its inception.

About Author

Anuj

See author's posts