CVE-2026-6973: A High-Severity Remote Code Execution Vulnerability
Ivanti has warned customers to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM), tracked as CVE-2026-6973, which is being exploited in zero-day attacks. The vulnerability stems from an Improper Input Validation weakness that allows remote attackers with administrative privileges to execute arbitrary code on targeted systems running EPMM 12.8.0.0 and earlier.
Mitigation and Affected Products
To mitigate the zero-day, Ivanti advises customers to install Ivanti EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and review accounts with Admin rights and rotate those credentials where necessary. The issues only affect the on-prem EPMM product and are not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti EPM, Ivanti Sentry, or any other Ivanti products.
According to internet security watchdog Shadowserver, over 850 IP addresses with Ivanti EPMM fingerprints are exposed online, with most of them from Europe (508) and North America (182). However, there is no information on how many of them have already been patched against attacks exploiting the CVE-2026-6973 vulnerability.
Additional Vulnerabilities Patched
Ivanti also patched four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) that can allow attackers to gain admin access, impersonate registered Sentry hosts to obtain valid CA-signed client certificates, invoke arbitrary methods, and gain access to restricted information. However, the company said it has no evidence that these flaws have been exploited in the wild.
Previous Exploitations and Affected Customers
In January, Ivanti disclosed two other critical EPMM code-injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) that were exploited in zero-day attacks affecting a very limited number of customers. If customers followed Ivanti's recommendation in January to rotate credentials if they were exploited with CVE-2026-1281 and CVE-2026-1340, then their risk of exploitation from CVE-2026-6973 is significantly reduced.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave U.S. government agencies 4 days to secure their systems against CVE-2026-1340 attacks. Multiple other Ivanti EPMM zero-days have been exploited in attacks in recent years to breach a wide range of targets, including government agencies worldwide. In total, CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild, 12 of which were also abused by various ransomware operations.
Ivanti's Customer Base and Security Measures
Ivanti provides IT asset management products to more than 40,000 customers through a network of over 7,000 partners worldwide. The company's products are widely used, and the exploitation of these vulnerabilities can have significant consequences. It is essential for customers to prioritize patching and take necessary security measures to protect their systems.
- CVE-2026-6973: Remote code execution vulnerability in EPMM
- CVE-2026-5786: Vulnerability allowing attackers to gain admin access
- CVE-2026-5787: Vulnerability allowing attackers to impersonate registered Sentry hosts
- CVE-2026-5788: Vulnerability allowing attackers to invoke arbitrary methods
- CVE-2026-7821: Vulnerability allowing attackers to gain access to restricted information
Ivanti's warning and the patching of these vulnerabilities highlight the importance of prioritizing security and taking proactive measures to protect against potential threats. Customers should review their systems and take necessary actions to mitigate the risks associated with these vulnerabilities.
At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today.
Ivanti's statement emphasizes the need for customers to be vigilant and take immediate action to protect their systems. The exploitation of these vulnerabilities can have significant consequences, and it is essential for customers to prioritize patching and take necessary security measures.
Source: BleepingComputer