Back

Ivanti EPMM Zero-Day Vulnerability Exploited in Active Attacks

Severity: High (Score: 72.9)

Sources: hub.ivanti.com, Scworld, www.globalsecuritymag.fr, Cyberscoop, www.theregister.com

Summary

Ivanti has disclosed a zero-day vulnerability (CVE-2026-6973) in its Endpoint Manager Mobile (EPMM) product, which has been actively exploited by attackers. This flaw allows authenticated users with administrative privileges to execute arbitrary code remotely on affected systems. Ivanti issued patches for this and four other high-severity vulnerabilities on May 7, 2026. The vulnerability affects EPMM versions 12.8.0.0 and earlier. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its list of exploited vulnerabilities and mandated federal agencies to patch their systems by May 10, 2026. Ivanti previously disclosed two critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in January 2026, which have also been exploited. The current exploitation requires administrative access, limiting the immediate impact but still posing significant risks to organizations that have not followed prior security recommendations. Key Points: • CVE-2026-6973 is a zero-day vulnerability in Ivanti EPMM, actively exploited since May 7, 2026. • The vulnerability allows remote code execution for authenticated users with admin privileges. • CISA has mandated federal agencies to patch affected systems by May 10, 2026.

Key Entities

  • Zero-day Exploit (attack_type)
  • Council For The Judiciary (company)
  • Dutch Data Protection Authority (company)
  • Fortinet (company)
  • Ivanti (company)
  • China (country)
  • Iran (country)
  • Netherlands (country)
  • CVE-2026-1281 (cve)
  • CVE-2026-1340 (cve)
  • CVE-2026-5786 (cve)
  • CVE-2026-5787 (cve)
  • CVE-2026-5788 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-20 - Improper Input Validation (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Cwe-295 - Improper Certificate Validation (cwe)
  • CWE-862 - Missing Authorization (cwe)
  • Government (industry)
  • T1021 - Remote Services (mitre_attack)
  • T1059.004 - Unix Shell (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • T1505.003 - Web Shell (mitre_attack)
  • Android (platform)
  • Apache (platform)
  • Apple Device Enrollment (platform)
  • Ivanti EPM (platform)
  • Ivanti Neurons For MDM (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed