Ivanti warns that a new security flaw affecting Endpoint Manager Mobile (EPMM) is being investigated in limited live attacks.
High severity vulnerability CVE-2026-6973 (CVSS score: 7.2) is a case of improper input validation that affects EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1.
This allows “remote authenticated users with administrative access” to remotely execute code, Ivanti said in an advisory published today.
“We are aware that CVE-2026-6973 has been exploited in a very limited number of customers. Administrative authentication is required for successful exploitation. If customers follow Ivanti’s January recommendation to rotate credentials when CVE-2026-1281 and CVE-2026-1340 are exploited, CVE-2026-6973 The risk of it being exploited is significantly reduced.”
At this time, it is unclear who is behind the exploits, whether those attacks were successful, and what the ultimate goal of the attacks was.
Following this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and required Federal Civilian Executive Branch (FCEB) agencies to patch it by May 10, 2026.
There are also four other flaws patched by Ivanti in EPMM.
CVE-2026-5786 (CVSS Score: 8.8) – Improper access control vulnerability allows remote authenticated attackers to gain administrative access. CVE-2026-5787 (CVSS Score: 8.9) – Improper certificate validation vulnerability allows a remote unauthenticated attacker to impersonate a registered Sentry host and obtain a valid CA-signed client certificate. CVE-2026-5788 (CVSS Score: 7.0) – Improper access control vulnerability that allows remote unauthenticated attackers to call arbitrary methods. CVE-2026-7821 (CVSS Score: 7.4) – Improper certificate validation vulnerability allows a remote unauthenticated attacker to register a device that belongs to a restricted set of unregistered devices, leading to information disclosure about the EPMM appliance and impacting the integrity of newly registered device identities.
“This issue only affects the on-premises EPMM product and does not exist in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti EPM (a similar but different product), Ivanti Sentry, or any other Ivanti product,” the company said.
Source link
