Ivanti has issued a warning about a newly identified security issue affecting its Endpoint Manager Mobile (EPMM) platform, noting that the vulnerability has already been exploited in a limited number of real‑world attacks.
The flaw, tracked as CVE‑2026‑6973 with a CVSS score of 7.2, stems from improper input validation and impacts EPMM versions released prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. According to Ivanti, exploitation of this weakness allows a remotely authenticated attacker with administrative privileges to execute arbitrary code on affected systems.
In its advisory, Ivanti emphasized that while only a small number of customers have been impacted so far, the vulnerability has been actively abused in the wild. The company further clarified that successful exploitation requires valid administrative credentials. However, organizations that previously followed earlier guidance to reset credentials after exposures related to CVE‑2026‑1281 and CVE‑2026‑1340 are considered to have significantly reduced exposure to this latest issue.
At this time, Ivanti has not disclosed details regarding the identity of the attackers, the scale of the compromises, or the specific objectives behind the observed activity.
Inclusion in CISA KEV Catalog
Due to confirmed exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE‑2026‑6973 to its Known Exploited Vulnerabilities (KEV) catalog. As a result, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the issue by May 10, 2026 under federal security guidelines.
Additional vulnerabilities patched
Alongside CVE‑2026‑6973, Ivanti also addressed four additional security weaknesses in EPMM:
- CVE‑2026‑5786 (CVSS 8.8): An access control flaw that could enable a remotely authenticated attacker to obtain administrative privileges.
- CVE‑2026‑5787 (CVSS 8.9): A certificate validation issue allowing unauthenticated attackers to impersonate trusted Sentry hosts and obtain valid, certificate authority‑signed credentials.
- CVE‑2026‑5788 (CVSS 7.0): A vulnerability permitting unauthenticated attackers to invoke arbitrary methods due to insufficient access controls.
- CVE‑2026‑7821 (CVSS 7.4): A certificate validation weakness that could allow unauthorized device enrollment, potentially exposing sensitive information and compromising device identity integrity.
Scope of impact
Ivanti confirmed that these vulnerabilities are limited to on‑premises deployments of EPMM. They do not affect other Ivanti offerings, including Ivanti Neurons for MDM (cloud‑based), Ivanti Endpoint Manager (EPM), Ivanti Sentry, or other related products
Key takeaway
While exploitation appears limited, the presence of an actively abused vulnerability requiring administrative access highlights the importance of:
- Prompt patching
- Credential hygiene (especially password rotation after prior incidents)
- Close monitoring of administrative activity
Organizations using on‑prem EPMM systems are strongly advised to apply updates immediately and review access controls to mitigate potential risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
