Ivanti EPMM Zero-Day CVE-2026-6973 Exploited in Limited Attacks

Executive Summary

Ivanti on May 7, 2026, disclosed that a high-severity remote code execution vulnerability in its Endpoint Manager Mobile (EPMM) product, tracked as CVE-2026-6973, is being exploited in limited zero-day attacks. The flaw, caused by improper input validation, allows an attacker with administrative privileges to execute arbitrary code on affected systems running EPMM 12.8.0.0 and earlier. Ivanti has released patches in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 to address the issue. The company stated it is aware of "very limited exploitation" and that the vulnerability requires admin authentication to be exploited. Internet security monitoring group Shadowserver currently tracks over 850 IP addresses with Ivanti EPMM fingerprints exposed online, with the majority located in Europe (508) and North America (182). Ivanti also patched four additional high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) for which there is no evidence of in-the-wild exploitation.

Technical Analysis

CVE-2026-6973 is an improper input validation weakness in Ivanti EPMM that enables remote code execution. The vulnerability is rated high severity, though Ivanti has not published a CVSS score as of this writing. Successful exploitation requires the attacker to already possess administrative credentials on the target EPMM instance. This authentication requirement likely limits the attack surface to scenarios where admin accounts have been compromised through other means, such as credential stuffing, phishing, or prior breaches.

The flaw affects all on-premises deployments of Ivanti EPMM versions 12.8.0.0 and earlier. Ivanti explicitly stated that the issue does not affect its cloud-based unified endpoint management solution, Ivanti Neurons for MDM, nor Ivanti EPM (a separate product with a similar name), Ivanti Sentry, or any other Ivanti products.

Shadowserver's telemetry indicates that approximately 850 EPMM instances are internet-facing, though it is unclear how many have been patched. The geographic distribution — over half in Europe and roughly one-fifth in North America — suggests that organizations in these regions should prioritize patching. The number of exposed instances is notable given Ivanti's history of EPMM zero-days; the company disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in January 2026 that were also exploited in zero-day attacks against a "very limited number of customers." In April 2026, CISA ordered U.S. federal agencies to patch CVE-2026-1340 within four days.

Ivanti noted that customers who rotated credentials after the January incidents, as recommended, would have significantly reduced their risk from CVE-2026-6973. This suggests that the same administrative credentials may have been reused across multiple EPMM instances or that the January vulnerabilities could have exposed credentials that an attacker could leverage against CVE-2026-6973.

The four other vulnerabilities patched alongside CVE-2026-6973 are:

• CVE-2026-5786: Could allow an attacker to gain admin access.
• CVE-2026-5787: Could enable impersonation of registered Sentry hosts to obtain valid CA-signed client certificates.
• CVE-2026-5788: Could allow invocation of arbitrary methods.
• CVE-2026-7821: Could allow access to restricted information; notably, this flaw can be exploited by unauthenticated attackers, but only affects users who have configured Apple Device Enrollment.

Ivanti stated it has no evidence that any of these four additional vulnerabilities have been exploited in the wild.

Mitigations & Recommendations

Ivanti has released patched versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Organizations running on-premises EPMM should apply the appropriate update immediately. Because CVE-2026-6973 requires administrative privileges to exploit, defenders should also audit all accounts with Admin rights on EPMM instances and rotate credentials for those accounts, particularly if the organization was affected by the January 2026 EPMM zero-days (CVE-2026-1281 and CVE-2026-1340). Ivanti's own guidance emphasizes that credential rotation following the January incidents reduces risk for CVE-2026-6973.

For organizations that have not yet rotated credentials since January, this should be treated as an urgent step. Additionally, administrators should review EPMM access logs for signs of unauthorized administrative activity, especially from unexpected IP ranges. Given the Shadowserver data showing over 850 exposed EPMM instances, organizations should consider whether their EPMM management interfaces need to be internet-facing at all; reducing exposure to trusted networks can limit the attack surface.