Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks

The latest security advisory from Ivanti spotlights CVE‑2026‑6973, a high‑severity remote code execution bug in Endpoint Manager Mobile (EPMM) versions up to 12.8.0.0. The flaw stems from improper input validation and can be triggered by an attacker who already holds administrative privileges, allowing arbitrary code execution on managed devices. Ivanti recommends immediate installation of the 12.6.1.1, 12.7.0.1, or 12.8.0.1 patches and urges administrators to review and rotate privileged accounts. While exploitation appears limited, the vulnerability underscores the attack surface of on‑prem endpoint management tools.

Ivanti’s disclosure arrives amid a growing catalog of flaws targeting its EPMM suite; four additional high‑severity CVEs (CVE‑2026‑5786, ‑5787, ‑5788, ‑7821) were patched simultaneously, though none have been observed in the wild. The company’s history of zero‑day incidents—most notably the January code‑injection bugs CVE‑2026‑1281 and ‑1340—has drawn scrutiny from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has already issued emergency directives for several Ivanti vulnerabilities. To date, CISA has flagged 33 Ivanti issues, with a dozen leveraged by ransomware gangs, highlighting the platform’s attractiveness to threat actors.

For enterprises that rely on on‑prem EPMM deployments, the advisory reinforces the need for rapid patch management and strict credential hygiene. Organizations should inventory admin accounts, enforce multi‑factor authentication, and rotate secrets, especially for systems that have previously been targeted. Given the prevalence of exposed EPMM endpoints—Shadowserver reports over 850 IPs online—continuous monitoring and network segmentation become essential defenses. By integrating threat‑intelligence feeds and automating remediation workflows, IT teams can reduce dwell time and mitigate the broader supply‑chain risk posed by recurring Ivanti vulnerabilities.