Ivanti has released fixes for 5 high-severity vulnerabilities in its Endpoint Manager Mobile (EPMM) solution, one of which (CVE-2026-6973) has being exploited as a zero-day by attackers.
“We are aware of a very limited number of customers exploited with CVE-2026-6973,” the company said in a security advisory published on Thursday.
About CVE-2026-6973
CVE-2026-6973 is caused by improper input validation and allows remote attackers with administrative privileges to execute arbitrary code on vulnerable instances.
“If customers followed Ivanti’s recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340, then your risk of exploitation from CVE-2026-6973 is significantly reduced,” the company added.
CVE-2026-1281 and CVE-2026-1340 were also exploited as zero-day vulnerabilities, i.e., before Ivanti was aware of them.
Subsequent reports revealed some of the targets: the European Commission, the Dutch Data Protection Authority (AP) and the Council for the Judiciary (Rvdr), and Valtori, Finland’s central government ICT service center.
The other fixed vulnerabilities
CVE-2026-6973 affects Ivanti EPMM versions 12.8.0.0 and prior, and has been fixed in versions 12.6.1.1, 12.7.0.1, and 12.8.0.1.
These security updates also contain fixes for the other four vulnerabilities, which are at the moment not known to be exploited by attackers:
- CVE-2026-5786 – an improper access control vulnerability exploitable by authenticated attackers and leading to elevation of privileges (to admin)
- CVE-2026-5787 – an improper certificate control vulnerability exploitable without authentication and allowing attacker to obtain valid CA-signed client certificates
- CVE-2026-5788 – an improper access control vulnerability allowing a remote unauthenticated attacker to invoke arbitrary methods
- CVE-2026-7821 – an improper certificate control vulnerability allowing a remote unauthenticated attacker to enroll a device, thus leading to information disclosure about EPMM appliance and affecting the integrity of the newly enrolled device identity
“While CVE-2026-7821 is unauthenticated, if customers have not configured and are not using Apple Device Enrollment they are not at risk from this vulnerability,” the company added.
What to do?
Ivanti advised organizations running EPPM on-premises to:
- Upgrade to a fixed version
- Review accounts with admin rights and rotate those credentials
Though the vulnerabilities don’t affect Sentry – a gateway appliance that secures and manages traffic between mobile devices and backend enterprise systems – customers should also “review the security of the Sentry appliance at the same time as EPMM due to the dependency it has on the EPMM appliance and configuration.”
Unfortunately, there are currently no reliable atomic indicators of compromise that could be used to detect compromise via CVE-2026-6973.
The US Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalog, and ordered US federal civilian agencies to remediate it within three days.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
