Cybersecurity company Ivanti has warned customers about a newly discovered security vulnerability in its Endpoint Manager Mobile (EPMM) software that is already being exploited in real-world attacks. The flaw, tracked as CVE-2026-6973, could allow attackers with administrative access to execute malicious code remotely and gain full control over vulnerable systems.
The security issue has received a CVSS severity score of 7.2, making it a high-severity vulnerability that organizations should address immediately. According to Ivanti, the flaw affects on-premises versions of EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
The vulnerability is caused by improper input validation in Ivanti EPMM. Successful exploitation allows a remotely authenticated attacker with administrator privileges to achieve remote code execution (RCE) on the targeted server.
Remote code execution vulnerabilities are considered highly dangerous because they enable threat actors to run arbitrary commands on compromised systems. In enterprise environments, this can lead to data theft, malware deployment, espionage, or even full network compromise.
Ivanti confirmed that the flaw has already been exploited in a “very limited number” of attacks in the wild. However, the company did not reveal the identities of the attackers or whether the attacks resulted in successful breaches.
In its official advisory, Ivanti stated:
“We are aware of a very limited number of customers exploited with CVE-2026-6973.”
The company also noted that organizations that previously followed its January 2026 guidance to rotate credentials after the exploitation of earlier vulnerabilities may have significantly reduced risk from this latest threat.
Ivanti referenced earlier security flaws, including CVE-2026-1281 and CVE-2026-1340, which were previously exploited by attackers.
The company recommended that organizations exposed to those earlier attacks should rotate credentials immediately. This step helps prevent attackers from reusing stolen administrative credentials to exploit the newly disclosed vulnerability.
The latest development once again highlights how attackers continue to target enterprise device management solutions because they often provide access to sensitive corporate data and connected endpoints.
The seriousness of the issue prompted the U.S. Cybersecurity and Infrastructure Security Agency, Cybersecurity and Infrastructure Security Agency, to add the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
The KEV catalog is maintained by CISA to track security flaws actively exploited by threat actors. Inclusion in the catalog signals that organizations should prioritize patching immediately.
CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply security updates by May 10, 2026.
The agency’s action indicates growing concern over the exploitation of Ivanti vulnerabilities, which have repeatedly become targets for cybercriminals and nation-state threat groups in recent years.
Alongside CVE-2026-6973, Ivanti also released fixes for four additional vulnerabilities affecting EPMM systems.
CVE-2026-5786 carries a CVSS score of 8.8 and stems from improper access control. The flaw could allow a remote authenticated attacker to gain administrative access to the system.
CVE-2026-5787 has a severity score of 8.9 and is considered critical. The vulnerability allows a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates.
This could potentially enable attackers to bypass trust mechanisms and intercept sensitive communications.
CVE-2026-5788 received a CVSS score of 7.0. The flaw may allow remote unauthenticated attackers to invoke arbitrary methods on affected systems.
Such vulnerabilities can be dangerous because they may provide attackers with unexpected access to application functionality.
CVE-2026-7821 carries a CVSS score of 7.4. It allows remote unauthenticated attackers to enroll restricted devices and potentially disclose sensitive information about the EPMM appliance.
The flaw may also impact the integrity of newly enrolled device identities.
Ivanti clarified that the vulnerabilities only impact the on-premises version of Endpoint Manager Mobile.
The company confirmed that the following products are not affected:
- Ivanti Neurons for MDM
- Ivanti EPM
- Ivanti Sentry
- Other Ivanti products
This means organizations using Ivanti’s cloud-based management solutions are not vulnerable to these specific flaws.
Security experts recommend that all organizations using affected versions of Ivanti EPMM apply patches immediately. Since active exploitation has already been observed, delaying updates could expose networks to serious compromise.
Organizations should also:
- Rotate all administrative credentials
- Review authentication logs for suspicious activity
- Monitor EPMM servers for unauthorized access
- Restrict administrative access where possible
- Conduct threat hunting for signs of compromise
Given the increasing number of attacks targeting remote management and endpoint management platforms, businesses should treat these vulnerabilities as a high-priority security risk.
The latest Ivanti EPMM vulnerabilities serve as another reminder that enterprise management systems remain attractive targets for attackers seeking deep access into corporate environments.
Interesting Article : CVE-2026-23918, Apache HTTP/2 Bug Allows DoS and RCE
Pingback: Critical cPanel Flaw CVE-2026-41940 Exploited to Deploy Filemanager Backdoor