CVE-2026-6973 Zero-Day Vulnerability in Ivanti EPMM
Attackers are targeting Ivanti customers by exploiting a zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a product that has been consistently susceptible to attacks. Ivanti has warned customers that attackers have successfully exploited CVE-2026-6973, an improper input validation defect that allows authenticated users with administrative privileges to run code remotely.
A spokesperson for Ivanti stated that at the time of disclosure, the company is aware of very limited exploitation in the wild of CVE-2026-6973, which requires authenticated administrative access to implement. The company did not disclose when the first instance of exploitation occurred or precisely how many customers have already been impacted.
Additional Vulnerabilities Disclosed
Ivanti also disclosed four additional high-severity vulnerabilities in the same product, including CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, which have not been exploited in the wild. The company discovered these vulnerabilities through internal detection processes, supported by advanced AI, customer collaboration, and responsible disclosure.
One of the defects was discovered and responsibly reported to Ivanti by a former employee. The company suggests that at least one of the root causes for the latest zero-day may be traced to lingering risk posed by a pair of separate, critical zero-days (CVE-2026-1281 and CVE-2026-1340) that were exploited starting in late January.
Impact and Mitigation
The fallout from those exploited vulnerabilities in Ivanti EPMM spread to nearly 100 victims, including The Netherlands’ Dutch Data Protection Authority and the Council for the Judiciary, by early February. The latest Ivanti EPMM zero-day requires authenticated administrative access to exploit, which is why customers who followed Ivanti’s recommendation in January to rotate EPMM credentials are at significantly reduced risk.
Caitlin Condon, vice president of security research at VulnCheck, said the administrative privileges required to exploit CVE-2026-6973 indicate it was possibly exploited as part of an attack chain relying on another method for initial access. No attribution was shared on threat actor exploitation of CVE-2026-6973, but two other 2026 CVEs in Ivanti EPMM (CVE-2026-1281 and CVE-2026-1340) have been exploited by a range of threat actors, including China- and Iran-attributed groups.
Ivanti's Response and Transparency
Ivanti Chief Security Officer Daniel Spicer said the company’s transparency partly explains the high number of vulnerabilities reported and disclosed in its products. The company maintains that it is trying to consistently improve the security of its products through continued investment in its product security program, including the use of advanced AI paired with human verification.
The Cybersecurity and Infrastructure Security Agency has flagged 34 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 22 defects across Ivanti products have been exploited in the past two years, including five vulnerabilities in Ivanti EPMM in the last year.
Ivanti released patches for all five vulnerabilities, including the four additional defects, which it said haven’t been exploited in the wild. The company suggests that customers who have not been impacted by the prior vulnerability are at a much lower risk.
- CVE-2026-6973: Zero-day vulnerability in Ivanti EPMM requiring authenticated administrative access to exploit.
- CVE-2026-5787: High-severity vulnerability in Ivanti EPMM that has not been exploited in the wild.
- CVE-2026-5788: High-severity vulnerability in Ivanti EPMM that has not been exploited in the wild.
- CVE-2026-7821: High-severity vulnerability in Ivanti EPMM that has not been exploited in the wild.
Source: CyberScoop