Critical Zero-Day Vulnerabilities in Ivanti EPMM Exploited

Severity: High (Score: 75.8)

Sources: hub.ivanti.com, www.theregister.com, www.ivanti.com, Cybersecuritynews, Bleepingcomputer

Summary

Ivanti has disclosed multiple critical vulnerabilities in its Endpoint Manager Mobile (EPMM) product, including CVE-2026-6973, which is actively exploited and requires admin authentication for successful attacks. The vulnerabilities affect on-premises EPMM versions 12.8.0.0 and earlier. Customers are urged to patch immediately, as the flaws could allow remote code execution and unauthorized access to sensitive data. Additional vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched, but there is no evidence of their exploitation. Ivanti's advisory highlights the importance of credential rotation to mitigate risks. The vulnerabilities are part of a concerning trend of zero-day exploits targeting Ivanti products, with CISA tracking multiple instances of exploitation in the wild. Key Points: • CVE-2026-6973 is actively exploited and requires admin authentication for attacks. • Ivanti urges immediate patching for on-premises EPMM versions 12.8.0.0 and earlier. • Multiple other vulnerabilities were patched, but no exploitation evidence exists for them.

Key Entities

• Zero-day Exploit (attack_type)
• Fortinet (company)
• Ivanti (company)
• CVE-2026-1281 (cve)
• CVE-2026-1340 (cve)
• CVE-2026-5786 (cve)
• CVE-2026-5787 (cve)
• CVE-2026-5788 (cve)
• CWE-20 - Improper Input Validation (cwe)
• Government (industry)
• T1021 - Remote Services (mitre_attack)
• T1059.004 - Unix Shell (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• T1505.003 - Web Shell (mitre_attack)
• Android (platform)
• Apache (platform)
• Apple Device Enrollment (platform)
• Ivanti EPM (platform)
• Ivanti Neurons For MDM (platform)