Ivanti Warns of Actively Exploited Zero-Day Flaw in Endpoint Manager Mobile

Ivanti has urged customers to immediately patch a high-severity remote code execution vulnerability in its Endpoint Manager Mobile product after confirming the flaw is being exploited in zero-day attacks.

The vulnerability, tracked as CVE-2026-6973, stems from an improper input validation weakness in EPMM versions 12.8.0.0 and earlier. It allows remote attackers with administrative privileges to execute arbitrary code on affected systems, according to the company.

"At the time of disclosure, we are aware of very limited exploitation of CVE-2026-6973, which requires admin authentication for successful exploitation. We are not aware of any customers being exploited by the other vulnerabilities disclosed today," Ivanti said in a statement.

The company said customers can address the zero-day by upgrading to EPMM versions 12.6.1.1, 12.7.0.1, or 12.8.0.1. Ivanti also advised administrators to audit accounts with administrative rights and rotate those credentials as a precaution.

Internet security watchdog Shadowserver is currently tracking more than 850 IP addresses with Ivanti EPMM fingerprints exposed online. The majority of those exposures are concentrated in Europe, at 508, with an additional 182 in North America. It remains unclear how many of those instances have already been patched.

Ivanti stressed that the vulnerability affects only its on-premises EPMM product. Its cloud-based solution, Ivanti Neurons for MDM, as well as Ivanti Sentry, Ivanti EPM, and other products in the company's portfolio are not affected.

Alongside the zero-day disclosure, Ivanti also patched four additional high-severity EPMM flaws — CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821 — that could allow attackers to gain administrative access, impersonate registered Sentry hosts, invoke arbitrary methods, and access restricted information. The company said it has no evidence that any of those four have been exploited in the wild. CVE-2026-7821, which can be exploited without any privileges, affects only users who have configured Apple Device Enrollment.

Thursday's disclosure follows a pattern of repeated EPMM vulnerabilities being weaponized against high-value targets. In January, Ivanti disclosed two other critical EPMM code-injection flaws — CVE-2026-1281 and CVE-2026-1340 — that were exploited in zero-day attacks affecting what the company described as a "very limited number of customers."

In April, the U.S. Cybersecurity and Infrastructure Security Agency gave federal agencies just four days to secure their systems against attacks exploiting CVE-2026-1340.

"If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced," the company said.

CISA has flagged 33 Ivanti vulnerabilities as exploited in the wild over the years, 12 of which were also leveraged by ransomware operations. Ivanti serves more than 40,000 customers across a partner network of over 7,000 organizations worldwide.

The recurring exploitation of Ivanti EPMM vulnerabilities — spanning government agencies and enterprises across multiple continents — underscores growing pressure on the company to harden its on-premises products, and on security teams to prioritize credential hygiene and rapid patching cycles as attackers continue to target mobile device management infrastructure.