Ivanti, a prominent cybersecurity firm, has issued a critical alert regarding a newly discovered security vulnerability affecting its Endpoint Manager Mobile (EPMM) software. This high-severity flaw, identified as CVE-2026-6973, has already seen limited exploitation in the wild, posing a significant risk to organizations using the affected product. The vulnerability, rated with a CVSS score of 7.2, stems from improper input validation and impacts EPMM versions preceding 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The critical nature of CVE-2026-6973 was underscored by its immediate inclusion in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This addition mandates that Federal Civilian Executive Branch (FCEB) agencies must implement the necessary patches by May 10, 2026, highlighting the urgency for widespread remediation.
Ivanti EPMM Vulnerability Exploited in the Wild
According to Ivanti’s advisory, the improper input validation vulnerability (CVE-2026-6973) allows a remotely authenticated user with administrative privileges to achieve remote code execution. While Ivanti confirmed awareness of a “very limited number of customers” being exploited, they emphasized that successful exploitation necessitates administrative authentication. The company noted that organizations that heeded earlier recommendations to rotate credentials following the exploitation of CVE-2026-1281 and CVE-2026-1340 would experience significantly reduced risk from this latest threat.
Details regarding the actors behind these exploitation attempts, the success rate of these attacks, or their ultimate objectives remain undisclosed. This lack of information adds an element of uncertainty for affected entities, prompting swift action to mitigate potential damage. The exploitation of network security products like Ivanti’s EPMM underscores the ongoing challenges in securing complex enterprise environments.
Multiple Vulnerabilities Patched by Ivanti
In addition to the actively exploited CVE-2026-6973, Ivanti has also addressed four other security flaws within its EPMM product. These include:
- CVE-2026-5786 (CVSS score: 8.8): This improper access control vulnerability enables remote authenticated attackers to gain administrative access.
- CVE-2026-5787 (CVSS score: 8.9): An improper certificate validation flaw that could allow remote unauthenticated attackers to impersonate registered Sentry hosts and acquire valid CA-signed client certificates.
- CVE-2026-5788 (CVSS score: 7.0): Another improper access control issue, permitting remote unauthenticated attackers to invoke arbitrary methods.
- CVE-2026-7821 (CVSS score: 7.4): This improper certificate validation vulnerability allows remote unauthenticated attackers to enroll devices from a restricted set of unenrolled devices. This could lead to information disclosure about the EPMM appliance and compromise the integrity of newly enrolled device identities.
Ivanti clarified that these vulnerabilities are exclusive to the on-premises version of EPMM. The company assured users that Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, as well as Ivanti EPM (a distinct product with a similar name), Ivanti Sentry, and all other Ivanti products are unaffected by these specific issues.
The ongoing discovery and exploitation of vulnerabilities in endpoint management solutions like Ivanti’s EPMM highlight the persistent cat-and-mouse game between cybersecurity vendors and malicious actors. Organizations are urged to apply the latest patches and security configurations promptly. The rapid inclusion of CVE-2026-6973 in the CISA KEV catalog serves as a stark reminder to maintain vigilance and prioritize the security of critical management infrastructure. The next expected step for FCEB agencies is to confirm the implementation of fixes by the May 10, 2026 deadline.