Ivanti has issued a security advisory warning that a newly identified vulnerability affecting Endpoint Manager Mobile (EPMM) is being exploited in limited real world attacks. The flaw, tracked as CVE-2026-6973 with a CVSS score of 7.2, stems from improper input validation in Ivanti EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1. According to the advisory, successful exploitation allows a remotely authenticated user with administrative access to achieve remote code execution within affected environments. While the vulnerability requires admin level authentication to exploit, Ivanti confirmed that a very small number of customers have already been impacted by exploitation attempts involving this issue.
Ivanti stated that organizations which previously followed its earlier guidance in January to rotate credentials after exploitation incidents linked to CVE-2026-1281 and CVE-2026-1340 may have a reduced exposure risk to CVE-2026-6973. However, the company has not confirmed attribution for the exploitation activity, nor has it disclosed whether any of the observed attacks resulted in successful compromise or what the operational objectives of the threat actors might be. The limited visibility into attacker intent and success rate adds uncertainty for organizations relying on on-prem EPMM deployments, particularly in environments where administrative credentials may have broader system access.
The severity of the situation has prompted the U.S. Cybersecurity and Infrastructure Security Agency to add CVE-2026-6973 to its Known Exploited Vulnerabilities catalog. This designation requires Federal Civilian Executive Branch agencies to apply available security updates by May 10, 2026, reflecting the urgency associated with active exploitation. In addition to CVE-2026-6973, Ivanti has also addressed four other vulnerabilities affecting EPMM. CVE-2026-5786, rated 8.8, is an improper access control flaw that enables a remote authenticated attacker to gain administrative access. CVE-2026-5787, rated 8.9, involves improper certificate validation allowing a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA signed client certificates. CVE-2026-5788, rated 7.0, allows a remote unauthenticated attacker to invoke arbitrary methods due to improper access control. CVE-2026-7821, rated 7.4, involves improper certificate validation that allows device enrollment manipulation for a restricted set of unenrolled devices, leading to information disclosure and compromised device identity integrity.
Ivanti clarified that these vulnerabilities are limited to the on-premises EPMM product and do not affect Ivanti Neurons for MDM, Ivanti EPM despite naming similarity, Ivanti Sentry, or any other Ivanti products. The distinction is important for enterprise environments operating mixed Ivanti deployments, as cloud based and other endpoint management solutions remain unaffected by this set of issues. The advisory emphasizes that organizations using affected on-prem EPMM versions should prioritize patching and credential hygiene, particularly where administrative access could be leveraged for remote code execution or certificate based impersonation attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
