Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks
Ivanti has patched a high-severity zero-day vulnerability in Endpoint Manager Mobile (EPMM) that was exploited in targeted attacks, likely chained with previously disclosed flaws.
Ivanti on Thursday released security updates for its Endpoint Manager Mobile (EPMM) product, addressing five vulnerabilities including a zero-day exploited in targeted attacks. The exploited flaw, tracked as CVE-2026-6973, is a high-severity improper input validation issue that allows an authenticated attacker with admin privileges to achieve remote code execution. Ivanti stated that it is aware of a 'very limited number of customers' being targeted in attacks exploiting this vulnerability.
The vendor noted that customers who rotated credentials after earlier zero-days (CVE-2026-1281 and CVE-2026-1340) face reduced risk, suggesting that CVE-2026-6973 may have been chained with those unauthenticated RCE flaws. CVE-2026-1281 and CVE-2026-1340 were initially leveraged in targeted zero-day attacks, but exploitation surged shortly after their disclosure. This pattern indicates that attackers may be combining multiple vulnerabilities to gain complete control of targeted MDM infrastructure.
Ivanti has not shared specific details about the threat actors behind the attacks, but Chinese state-sponsored groups are often suspected in zero-day attacks targeting Ivanti products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-6973 to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, requiring federal agencies to patch by May 10. CISA's KEV list now includes 34 Ivanti product vulnerabilities, highlighting the vendor's ongoing struggle with zero-day exploits.
The remaining four vulnerabilities patched in this update—CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821—have not been exploited in the wild. These flaws could allow privilege escalation, client certificate theft, arbitrary method invocation, and information disclosure. Ivanti's advisory emphasizes that customers who followed earlier credential rotation recommendations are better protected against CVE-2026-6973.
This incident underscores the importance of timely patching and credential hygiene, especially for organizations using mobile device management solutions. Ivanti has faced repeated zero-day attacks in recent years, with threat actors frequently chaining multiple vulnerabilities to maximize impact. The inclusion of CVE-2026-6973 in CISA's KEV catalog signals the urgency for federal agencies and enterprises to apply the latest updates immediately.