Ivanti is warning that a new security flaw affecting Endpoint Manager Mobile (EPMM) has been discovered in a limited number of attacks in the wild.
high-severity vulnerabilities, CVE-2026-6973 (CVSS Score: 7.2), there is an issue of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
“This allows a remotely authenticated user with administrative access to achieve remote code execution,” Ivanti said in an advisory issued today.
“We are aware of a very limited number of customers who were exploited with CVE-2026-6973. Successful exploitation requires administrator authentication. If customers who were exploited with CVE-2026-1281 and CVE-2026-1340 followed Ivanti’s recommendation in January to rotate credentials, your risk of exploitation with CVE-2026-6973 is significantly lower. Has reduced.”
It is currently not known who is behind the exploit attempts, whether any of those attacks were successful, and what the ultimate goals of the attacks were.
The development has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian executive branch (FCEB) agencies to implement fixes by May 10, 2026.
Four other bugs in EPMM were also fixed by Ivanti –
- CVE-2026-5786 (CVSS Score: 8.8) – An improper access control vulnerability that allowed a remote authenticated attacker to gain administrative access.
- CVE-2026-5787 (CVSS Score: 8.9) – An improper certificate validation vulnerability that allows a remote unauthenticated attacker to impersonate a registered Sentry host and obtain a valid CA-signed client certificate.
- CVE-2026-5788 (CVSS Score: 7.0) – An improper access control vulnerability that allows a remote unauthenticated attacker to implement arbitrary methods.
- CVE-2026-7821 (CVSS Score: 7.4) – An improper certificate validation vulnerability that allows a remote unauthenticated attacker to enroll a device that belongs to a restricted set of arbitrary devices, thereby disclosing information about the EPMM device and compromising the integrity of the newly enrolled device identity.
“The issues only affect the on-premises EPMM product, and do not exist in Ivanti Neurons for MDM, Ivanti’s cloud-based integrated endpoint management solution, Ivanti EPM (a similar name, but separate product), Ivanti Sentry, or any other Ivanti products,” the company said.
